auth.conf & namespaceauth.conf : which files belong on the master , and client?

[Jed]

I'm trying to wrap my head around these files...

do both of them need to reside on the client and master?

are there any docs that describe these files and what all the option/
sections are and what they do?

Thanks all....

[Denmat]

I think only on master. This might help you further.
http://docs.puppetlabs.com/guides/security.html

> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>

[Jed]

Thanks Denmat...

I've seen the page already, but its so vague...

it doesnt mention anywhere what files belong where...

I gather auth.conf would need to be on the puppetmaster...

however, from what it says about namespaceauth.conf, it seems that
needs to live on the puppet client machines....

not sure....

On Feb 22, 4:58 pm, Denmat <tu2bg...@gmail.com> wrote:
> I think only on master. This might help you further.http://docs.puppetlabs.com/guides/security.html

[Douglas Garstang]

On Tue, Feb 22, 2011 at 2:58 PM, Jed <jedb...@gmail.com> wrote:

Thanks Denmat...

I've seen the page already, but its so vague...

it doesnt mention anywhere what files belong where...

I gather auth.conf would need to be on the puppetmaster...

however, from what it says about namespaceauth.conf, it seems that
needs to live on the puppet client machines....

not sure....

On Feb 22, 4:58 pm, Denmat <tu2bg...@gmail.com> wrote:
> I think only on master. This might help you further.http://docs.puppetlabs.com/guides/security.html
>

> On 23/02/2011, at 8:29, Jed <jedbl...@gmail.com> wrote:
>
> > I'm trying to wrap my head around these files...
>
> > do both of them need to reside on the client and master?
>
> > are there any docs that describe these files and what all the option/
> > sections are and what they do?
>
> > Thanks all....

Yeah, it is horribly confusing isn't it. Glad it's not just me that can't quite work it out.

Doug

 

[tu2B...@gmail.com]

From the docs:
----------------------------
auth.conf

rest_authconfig = $confdir/auth.conf

The auth.conf doesn’t exist by default, but Puppet has some default settings that will be put in place if you don’t create an auth.conf. You’ll see these settings if you run your puppetmaster in debug mode and then connect with a client.
---------------------------
namespaceauth.conf

authconfig = $confdir/namespaceauth.conf

This file controls the http connections to the puppet agent. It is necessary to start the puppet agent with the listen true option.

There’s an example namespaceauth.conf file in the puppet source in conf/namespaceauth.conf.
----------------------------

auth.conf: controls access to puppetmaster - lives on puppetmaster

namespaceauth.conf: bit harder to discern from doco and the link to the example returns 404. (points to old reductivelabs github)
https://github.com/puppetlabs/puppet/blob/master/conf/namespaceauth.conf

# This is an example namespaceauth.conf file,
# which you'll need if you want to start a client
# in --listen mode.
[fileserver]
allow *.domain.com

[puppetmaster]
allow *.domain.com

[puppetrunner]
allow culain.domain.com

[puppetbucket]
allow *.domain.com

[puppetreports]
allow *.domain.com

[resource]
allow server.domain.com

That would be on the client from my reading but I haven't implemented this at all.

[Douglas Garstang]

On Tue, Feb 22, 2011 at 5:09 PM, Jed <jedb...@gmail.com> wrote:

ok so I did sometesting..


apparently, this is how it breaks down so far...

-PUPPET CLIENT-
namespaceauth.conf: you need this or else it dies on startup
auth.conf : you do not need this normally, however if you want to do a
'puppetrun' from the master->client, this files needs to be present
and you need to have your puppet master listed in the proper sections
(ie. /run), also regarding 'puppetrun' command, you need the
[puppetrunner] section defined in the namespaceauth.conf file on the
puppetclient - in that section you need to list your puppetmaster FQDN/
IP.

-PUPPET MASTER-
namespaceauth.conf: not sure if this is need on the puppet master,
i'll remove it and test.
auth.conf: well...this is needed as per the documents.

this is where it gets fun [/s]

i have a custom spec/rpm built for the puppetmaster/puppetclient, all
this happens in once shot (from source its configured/compiled/built
and then broken out into a server/client rpm package) -- not a big
deal.

however, the million dollar question is....will the options for the
puppet master and the puppet client (in either file , auth.conf or
namespaceauth.conf) conflict?  since i would like to use a global
version of both files and dist. to the puppetmaster and all
puppetclients.  Furthermore, it sort of needs to happen like that,
since i have a puppetmaster, but on that master the puppet client will
be installed so the master can manage itself -- needless to say, the
puppetmaster and the puppetclient (on the same machine/instance) store
the same config/file/names in the same directory(/etc/puppet)

I'm sure it fairly trivial once you know what it is that's trivial ;-)

the puppet docs are just horrible (I hated Cfengine, but dammit, there
documentation was anal retentive)

for instance... the docs say "ohhh you have an  'auth' section in the
auth.conf file and here are the 8 different values (yes,
no ...etc)....however, nowhere, anywhere at all in blogs/sites/wiki
and even Turbulls puppet book does it say WHAT THE HELL THOSE OPTIONS
MEAN/DO/DONT DO.....

ok ok..now i'm venting -- sorry, but its been a long 3-day weekend of
trying to get puppet up and running on a last minute time-frame cause
i work for a bunch of monkeys(errr managers) with their heads in their
#(#*$*

I feel your pain... 

[Jed]

so even more wierdness....

I moved the auth.conf and the namespaceauth.conf files on the
puppetmaster, restarted the puppetmaster daemon in debug
mode.....and...

no error...not a single one -- puppetclients connect just fine, and
puppetrun works correctly...

I must be missing something here ....since the docs are saying at
least one of these files are needed on the puppetmaster.

On Feb 22, 7:20 pm, tu2Bg...@gmail.com wrote:
>  From the docs:
> ----------------------------
> auth.conf
>
> rest_authconfig = $confdir/auth.conf
>
> The auth.conf doesn't exist by default, but Puppet has some default  
> settings that will be put in place if you don't create an auth.conf. You'll  
> see these settings if you run your puppetmaster in debug mode and then  
> connect with a client.
> ---------------------------
> namespaceauth.conf
>
> authconfig = $confdir/namespaceauth.conf
>
> This file controls the http connections to the puppet agent. It is  
> necessary to start the puppet agent with the listen true option.
>
> There's an example namespaceauth.conf file in the puppet source in  
> conf/namespaceauth.conf.
> ----------------------------
>
> auth.conf: controls access to puppetmaster - lives on puppetmaster
>
> namespaceauth.conf: bit harder to discern from doco and the link to the  

> example returns 404. (points to old reductivelabs github)https://github.com/puppetlabs/puppet/blob/master/conf/namespaceauth.conf

>
> # This is an example namespaceauth.conf file,
> # which you'll need if you want to start a client
> # in --listen mode.
> [fileserver]
> allow *.domain.com
>
> [puppetmaster]
> allow *.domain.com
>
> [puppetrunner]
> allow culain.domain.com
>
> [puppetbucket]
> allow *.domain.com
>
> [puppetreports]
> allow *.domain.com
>
> [resource]
> allow server.domain.com
>
> That would be on the client from my reading but I haven't implemented this  
> at all.
>

> On , Douglas Garstang <doug.garst...@gmail.com> wrote:

[Jed]

On Feb 22, 7:20 pm, tu2Bg...@gmail.com wrote:

>  From the docs:
> ----------------------------
> auth.conf
>
> rest_authconfig = $confdir/auth.conf
>
> The auth.conf doesn't exist by default, but Puppet has some default  
> settings that will be put in place if you don't create an auth.conf. You'll  
> see these settings if you run your puppetmaster in debug mode and then  
> connect with a client.
> ---------------------------
> namespaceauth.conf
>
> authconfig = $confdir/namespaceauth.conf
>
> This file controls the http connections to the puppet agent. It is  
> necessary to start the puppet agent with the listen true option.
>
> There's an example namespaceauth.conf file in the puppet source in  
> conf/namespaceauth.conf.
> ----------------------------
>
> auth.conf: controls access to puppetmaster - lives on puppetmaster
>
> namespaceauth.conf: bit harder to discern from doco and the link to the  

> example returns 404. (points to old reductivelabs github)https://github.com/puppetlabs/puppet/blob/master/conf/namespaceauth.conf

>
> # This is an example namespaceauth.conf file,
> # which you'll need if you want to start a client
> # in --listen mode.
> [fileserver]
> allow *.domain.com
>
> [puppetmaster]
> allow *.domain.com
>
> [puppetrunner]
> allow culain.domain.com
>
> [puppetbucket]
> allow *.domain.com
>
> [puppetreports]
> allow *.domain.com
>
> [resource]
> allow server.domain.com
>
> That would be on the client from my reading but I haven't implemented this  
> at all.
>

> On , Douglas Garstang <doug.garst...@gmail.com> wrote:

[Iain Sutton]

Yep, your experience matches what we see in our setup:

The puppetmaster has neither an auth.conf nor a namespaceauth.conf and operates with just one error: we can't run puppetd on the puppetmaster because namespaceauth.conf is missing...