Can you file this as a bug, and add all of this logging data to it? On Sep 9, 2009, at 3:58 PM, Pete Emerson wrote:
> > I'm seeing this as well, and have some info that may be useful. For me > the problem happens whether I use passenger-2.2.5, passenger-2.2.2, or > the puppetmasterd daemon directly. > > I started with exactly the auth.conf from here: > > http://github.com/reductivelabs/puppet/blob/c2e26b9bb28ebcb8e07822015f99bd6a971b51c8/conf/auth.conf > > When I run the puppetmasterd in --no-daemon --debug mode, I see this > when the client connects: > > info: access[^/catalog/([^/]+)$]: allowing 'method' find > info: access[^/catalog/([^/]+)$]: allowing $1 access > info: access[/certificate_revocation_list/ca]: allowing 'method' find > info: access[/certificate_revocation_list/ca]: allowing * access > info: access[/report]: allowing 'method' save > info: access[/report]: allowing * access > info: access[/file]: allowing * access > info: access[/certificate/ca]: adding authentication no > info: access[/certificate/ca]: allowing 'method' find > info: access[/certificate/ca]: allowing * access > info: access[/certificate/]: adding authentication no > info: access[/certificate/]: allowing 'method' find > info: access[/certificate/]: allowing * access > info: access[/certificate_request]: adding authentication no > info: access[/certificate_request]: allowing 'method' find > info: access[/certificate_request]: allowing 'method' save > info: access[/certificate_request]: allowing * access > info: access[/]: adding authentication any > info: access[^/catalog/([^/]+)$]: defaulting to no access for > 01.admin.demo.nym1 > warning: Denying access: Forbidden request: > 01.admin.demo.nym1(my.ip.address.here) access to > /catalog/01.admin.demo.nym1 [find] authenticated at line 52 > err: Forbidden request: 01.admin.demo.nym1(my.ip.address.here) access > to /catalog/01.admin.demo.nym1 [find] authenticated at line 52 > > Lines 51 through 54 of the auth.conf: > > # allow nodes to retrieve their own catalog (ie their configuration) > path ~ ^/catalog/([^/]+)$ > method find > allow $1 > > When I change 'allow $1' to 'allow *', the client is able to connect > and it successfully ran my manifest. > > If I change my allow line to 'allow fakesstringhere', I see this: > > info: access[^/catalog/([^/]+)$]: allowing fakestringhere access > > When I change it back to 'allow $1': > > info: access[^/catalog/([^/]+)$]: allowing $1 access > > It seems like the regex capture of (^[/]+) isn't being stored in $1, > and $1 is being used literally instead of substituting in the value > from the regex? > > In case versions are interesting, I'm using CentOS 5 with the rpms > found at http://tmz.fedorapeople.org/repo/puppet/epel/5/x86_64/ > > puppet-0.25.0-0.4.el5.noarch > puppet-server-0.25.0-0.4.el5.noarch > ruby-1.8.5-5.el5_3.7.x86_64 > ruby-augeas-0.3.0-1.el5.x86_64 > ruby-devel-1.8.5-5.el5_3.7.x86_64 > rubygems-1.3.1-1.el5.noarch > ruby-irb-1.8.5-5.el5_3.7.x86_64 > ruby-libs-1.8.5-5.el5_3.7.x86_64 > ruby-rdoc-1.8.5-5.el5_3.7.x86_64 > ruby-shadow-1.4.1-7.el5.x86_64 > > ruby gem info (although passenger is out of the mix): > fastthread (1.0.7) > passenger (2.2.2) > rack (1.0.0) > rake (0.8.7) > > Pete > > > On Wed, Sep 9, 2009 at 11:30 AM, jrojas > <ja...@nothingbeatsaduck.com> wrote: >> >> I am seeing this problem as well. >> Reverting from 2.2.5 to 2.2.2 did not help. >> >> >> On Sep 9, 9:12 am, Matt <mattmora...@gmail.com> wrote: >>> Reverting back to the passenger 2.2.2 gem worked for me. >>> >>> 2009/9/8 Larry Ludwig <la...@reductivelabs.com>: >>> >>> >>> >>>> hmm passenger 2.2.5 is released? hmm I'll have to test it out. >>> >>>> -L >>> >>>> -- >>>> Larry Ludwig >>>> Reductive Labs >>> >> > > > -- It is well to remember that the entire universe, with one trifling exception, is composed of others. --John Andrew Holmes --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
