Done. The issue is now posted here, and I added --trace to my puppetmasterd arguments to provide more info.
http://projects.reductivelabs.com/issues/2620 Pete On Wed, Sep 9, 2009 at 4:29 PM, Luke Kanies <l...@madstop.com> wrote: > > Can you file this as a bug, and add all of this logging data to it? > > On Sep 9, 2009, at 3:58 PM, Pete Emerson wrote: > >> >> I'm seeing this as well, and have some info that may be useful. For me >> the problem happens whether I use passenger-2.2.5, passenger-2.2.2, or >> the puppetmasterd daemon directly. >> >> I started with exactly the auth.conf from here: >> >> http://github.com/reductivelabs/puppet/blob/c2e26b9bb28ebcb8e07822015f99bd6a971b51c8/conf/auth.conf >> >> When I run the puppetmasterd in --no-daemon --debug mode, I see this >> when the client connects: >> >> info: access[^/catalog/([^/]+)$]: allowing 'method' find >> info: access[^/catalog/([^/]+)$]: allowing $1 access >> info: access[/certificate_revocation_list/ca]: allowing 'method' find >> info: access[/certificate_revocation_list/ca]: allowing * access >> info: access[/report]: allowing 'method' save >> info: access[/report]: allowing * access >> info: access[/file]: allowing * access >> info: access[/certificate/ca]: adding authentication no >> info: access[/certificate/ca]: allowing 'method' find >> info: access[/certificate/ca]: allowing * access >> info: access[/certificate/]: adding authentication no >> info: access[/certificate/]: allowing 'method' find >> info: access[/certificate/]: allowing * access >> info: access[/certificate_request]: adding authentication no >> info: access[/certificate_request]: allowing 'method' find >> info: access[/certificate_request]: allowing 'method' save >> info: access[/certificate_request]: allowing * access >> info: access[/]: adding authentication any >> info: access[^/catalog/([^/]+)$]: defaulting to no access for >> 01.admin.demo.nym1 >> warning: Denying access: Forbidden request: >> 01.admin.demo.nym1(my.ip.address.here) access to >> /catalog/01.admin.demo.nym1 [find] authenticated at line 52 >> err: Forbidden request: 01.admin.demo.nym1(my.ip.address.here) access >> to /catalog/01.admin.demo.nym1 [find] authenticated at line 52 >> >> Lines 51 through 54 of the auth.conf: >> >> # allow nodes to retrieve their own catalog (ie their configuration) >> path ~ ^/catalog/([^/]+)$ >> method find >> allow $1 >> >> When I change 'allow $1' to 'allow *', the client is able to connect >> and it successfully ran my manifest. >> >> If I change my allow line to 'allow fakesstringhere', I see this: >> >> info: access[^/catalog/([^/]+)$]: allowing fakestringhere access >> >> When I change it back to 'allow $1': >> >> info: access[^/catalog/([^/]+)$]: allowing $1 access >> >> It seems like the regex capture of (^[/]+) isn't being stored in $1, >> and $1 is being used literally instead of substituting in the value >> from the regex? >> >> In case versions are interesting, I'm using CentOS 5 with the rpms >> found at http://tmz.fedorapeople.org/repo/puppet/epel/5/x86_64/ >> >> puppet-0.25.0-0.4.el5.noarch >> puppet-server-0.25.0-0.4.el5.noarch >> ruby-1.8.5-5.el5_3.7.x86_64 >> ruby-augeas-0.3.0-1.el5.x86_64 >> ruby-devel-1.8.5-5.el5_3.7.x86_64 >> rubygems-1.3.1-1.el5.noarch >> ruby-irb-1.8.5-5.el5_3.7.x86_64 >> ruby-libs-1.8.5-5.el5_3.7.x86_64 >> ruby-rdoc-1.8.5-5.el5_3.7.x86_64 >> ruby-shadow-1.4.1-7.el5.x86_64 >> >> ruby gem info (although passenger is out of the mix): >> fastthread (1.0.7) >> passenger (2.2.2) >> rack (1.0.0) >> rake (0.8.7) >> >> Pete >> >> >> On Wed, Sep 9, 2009 at 11:30 AM, jrojas >> <ja...@nothingbeatsaduck.com> wrote: >>> >>> I am seeing this problem as well. >>> Reverting from 2.2.5 to 2.2.2 did not help. >>> >>> >>> On Sep 9, 9:12 am, Matt <mattmora...@gmail.com> wrote: >>>> Reverting back to the passenger 2.2.2 gem worked for me. >>>> >>>> 2009/9/8 Larry Ludwig <la...@reductivelabs.com>: >>>> >>>> >>>> >>>>> hmm passenger 2.2.5 is released? hmm I'll have to test it out. >>>> >>>>> -L >>>> >>>>> -- >>>>> Larry Ludwig >>>>> Reductive Labs >>>> >>> >> >> > > > > -- > It is well to remember that the entire universe, with one trifling > exception, is composed of others. --John Andrew Holmes > --------------------------------------------------------------------- > Luke Kanies | http://reductivelabs.com | http://madstop.com > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
