Puppet Dashboard HTTP Basic Authentication Issues
226 views
Skip to first unread message
Stella
Jul 31, 2014, 12:28:20 PM7/31/14
to puppet...@googlegroups.com
Hi, I am trying to configure Puppet (3.6.2) Dashboard (1.2.23) with HTTP Basic Authentication. I followed this document's "Security" section:
http://docs.puppetlabs.com/dashboard/manual/1.2/configuring.html
Basically, in Dashboard’s vhost configuration, I added those lines:
<Location "/">
Order allow,deny
Allow from 192.168.240.110 # your puppet master's IP
Satisfy any
AuthName "Puppet Dashboard"
AuthType Basic
AuthUserFile /etc/httpd/webaccess
Require valid-user
</Location>
Then I also created a user/password combination:
htpasswd -c /etc/httpd/webaccess myusername
Restart httpd service and Web access to the interface works fine. It prompts me for username/password.
However, when I ran "puppet agent --test", it failed. Puppet cannot get nodes from the dashboard.
Questions:
1. I googled and found this issue: https://projects.puppetlabs.com/issues/4890. It points to another two issues. Should I follow those two issues to fix my problem?
issue #7173 -- Puppet cannot submit reports to dashboard. Modify puppet/lib/puppet/reports/http.rb to properly parse usernames and passwords out of the reporturl configuration option.
issue #5126 -- Puppet cannot get nodes from the dashboard. Modify the external node script to properly parse usernames and passwords out of its URL
2. In the document, it has a notice
Notice that you need to leave an access exception for your puppet master. Although it’s possible to configure Puppet to use a password when connecting to Dashboard (by adding a username and password to Puppet’s reporturl and the URL used by the external_nodes script), this currently requires patching Puppet’s http report handler; see issue 7173 for more details.
I am a little confused here. "you need to leave an access exception for your puppet master", does this refer to those two lines in the vhost config:
Order allow,deny
Allow from 192.168.240.110 # your puppet master's IP
If yes, does that mean if I have those two lines to leave an access exception for puppet master, I don't need to apply those two patches? But now with those two lines, I still can't get puppet agent to get node from dashboard. Maybe I should go ahead and apply those two patches?
http://docs.puppetlabs.com/dashboard/manual/1.2/configuring.html
Basically, in Dashboard’s vhost configuration, I added those lines:
<Location "/">
Order allow,deny
Allow from 192.168.240.110 # your puppet master's IP
Satisfy any
AuthName "Puppet Dashboard"
AuthType Basic
AuthUserFile /etc/httpd/webaccess
Require valid-user
</Location>
Then I also created a user/password combination:
htpasswd -c /etc/httpd/webaccess myusername
Restart httpd service and Web access to the interface works fine. It prompts me for username/password.
However, when I ran "puppet agent --test", it failed. Puppet cannot get nodes from the dashboard.
Questions:
1. I googled and found this issue: https://projects.puppetlabs.com/issues/4890. It points to another two issues. Should I follow those two issues to fix my problem?
issue #7173 -- Puppet cannot submit reports to dashboard. Modify puppet/lib/puppet/reports/http.rb to properly parse usernames and passwords out of the reporturl configuration option.
issue #5126 -- Puppet cannot get nodes from the dashboard. Modify the external node script to properly parse usernames and passwords out of its URL
2. In the document, it has a notice
Notice that you need to leave an access exception for your puppet master. Although it’s possible to configure Puppet to use a password when connecting to Dashboard (by adding a username and password to Puppet’s reporturl and the URL used by the external_nodes script), this currently requires patching Puppet’s http report handler; see issue 7173 for more details.
I am a little confused here. "you need to leave an access exception for your puppet master", does this refer to those two lines in the vhost config:
Order allow,deny
Allow from 192.168.240.110 # your puppet master's IP
If yes, does that mean if I have those two lines to leave an access exception for puppet master, I don't need to apply those two patches? But now with those two lines, I still can't get puppet agent to get node from dashboard. Maybe I should go ahead and apply those two patches?
Ellison Marks
Jul 31, 2014, 1:32:54 PM7/31/14
to puppet...@googlegroups.com
Where it has the IP address 192.168.240.110 and the comment "# your puppet master's IP", you are meant to replace the give IP address with the IP address that your puppet master will be using to submit reports.
Stella
Jul 31, 2014, 1:43:35 PM7/31/14
to puppet...@googlegroups.com
Hi Ellison,
Thanks for the reply.
Yes, I replaced that IP address with my Puppet Master.
So you think that as long as I have those two lines, I don't need to apply those two patches and it should work? But it doesn't work for me.
I guess I will try to apply those two patches and see what will happen?
Thanks for the reply.
Yes, I replaced that IP address with my Puppet Master.
So you think that as long as I have those two lines, I don't need to apply those two patches and it should work? But it doesn't work for me.
I guess I will try to apply those two patches and see what will happen?
Stella
Jul 31, 2014, 10:58:33 PM7/31/14
to puppet...@googlegroups.com
I figured it out. It is due to my settings.
In /etc/puppet/puppet.conf, I use "localhost":
external_nodes = /usr/bin/env PUPPET_DASHBOARD_URL=http://localhost:3000 /usr/share/puppet-dashboard/bin/external_node
But in the dashboard vhost config file, I gave the actual IP address of my puppet master (for example, 192.168.240.110 )
Order allow,deny
Allow from 192.168.240.110
Allow from 192.168.240.110
Once I changed the IP address to the word "localhost", it works:
Order allow,deny
Allow from 192.168.240.110
Allow from 192.168.240.110
So my doubt is correct: as long as you have those two lines, puppet master access is allowed and you don't need to apply those two patches.
Thanks!
Reply all
Reply to author
Forward
0 new messages