Announce: Puppet Server 2.2.0 available!

[Jeremy Barlow]

Puppet Server 2.2.0 is now available.

This is a feature release which, based on contributions from Brice Figureau, introduces a new Clojure-based auth.conf for Puppet Server.  This initiative was previously described in the "RFC 22: HTTP Authorization Framework" thread here:

https://groups.google.com/forum/#!topic/puppet-dev/I4GVsA46C5g

For more information on the new Clojure-based auth.conf, see:

http://docs.puppetlabs.com/puppetserver/2.2/config_file_auth.html

Big shout-outs to Brice and to those who provided feedback through the RFC process to make this feature a reality.

This release also contains a fix for the following memory leak issue:

• SERVER-1006 - jruby instances flushed by max-requests-per-instance do not get unregistered from pool

See the complete release notes for details about these changes:

https://docs.puppetlabs.com/puppetserver/2.2/release_notes.html

For a list of all changes in this release, check out the JIRA page:

https://tickets.puppetlabs.com/browse/SERVER/fixforversion/14343

EOF

[Ellison Marks]

As I didn't see it in the documentation there, is there any documentation on migrating settings from the old format and file to the new one?

[Jeremy Barlow]

On Friday, November 20, 2015 at 3:43:38 PM UTC-8, Ellison Marks wrote:

As I didn't see it in the documentation there, is there any documentation on migrating settings from the old format and file to the new one?

The documentation under http://docs.puppetlabs.com/puppetserver/2.2/config_file_auth.html is intended to provide information on migrating from the old format to the new one.

For example, assuming you were starting with a custom rule definition in the "/etc/puppetlabs/puppet/auth.conf" file which looks something like this...

 path ~ ^/puppet/v3/catalog/([^/]+)$
 method find
 auth yes
 allow $1, myadminhost
 
 ...

... you would likely end up with a representation of the same rule in the new format under "/etc/puppetlabs/puppetserver/conf.d/auth.conf" which looks something like this...

authorization: {
  version: 1
  rules: [
    {
      match-request: {
        path: "^/puppet/v3/catalog/([^/]+)"
        type: regex
        method: [get, post]
      }
      allow: ["$1", "myadminhost"]
      sort-order: 200
      name: "my catalog"
    },
  …
}

The "Parameters" section in the "config_file_auth.html" page shows how individual parts of each rule were represented in the old vs. the new format.

You might also take a look at the release's "Deprecated Features" page, as it covers some of the details involved in how you can enable configuration settings to utilize the new format.

If you were looking for even more detailed information on each of the settings in the new rule format, you could also look here: https://github.com/puppetlabs/trapperkeeper-authorization/blob/master/doc/authorization-config.md.

Does this help?  Was there other information you were looking for that you don't see covered?

[Ellison Marks]

This was the missing information for me. Looking again on the auth.conf page, there is one link to that page, but it's down at the bottom of the allow-header-cert-info section. The writeup on the old auth.conf seems much more clear on how to use it: https://docs.puppetlabs.com/puppet/latest/reference/config_file_auth.html.

On Saturday, November 21, 2015 at 9:19:54 AM UTC-8, Jeremy Barlow wrote:

...

If you were looking for even more detailed information on each of the settings in the new rule format, you could also look here: https://github.com/puppetlabs/trapperkeeper-authorization/blob/master/doc/authorization-config.md.

...

[Jeremy Barlow]

I'm glad that link was helpful for you and sorry again that the existing documentation was confusing.  We did recently update the http://docs.puppetlabs.com/puppetserver/latest/config_file_auth.html page with more of the detailed settings content.  Any further feedback you might have on that is definitely welcome.