On Wed, Oct 24, 2012 at 1:28 AM, imd <ivan.degtyare...@gmail.com> wrote:
> Changed the auth.conf and fileserver.conf in a way you suggested above, > now client gives another error: > > err: /Stage[main]/Profiles/File[/etc/profile.d/wrkdir.py]: Could not > evaluate: Error 400 on SERVER: Not authorized to call find on > /file_metadata/files/shell/wrkdir.py Could not retrieve file metadata for > puppet:///files/shell/wrkdir.py: Error 400 on SERVER: Not authorized to > call find on /file_metadata/files/shell/wrkdir.py at > /etc/puppet/manifests/classes/profiles.pp:42 > > With '/files/' or without, same error. > Did you add the auth.conf rules before the default `path /file` rule. For example, please see https://gist.github.com/3947951 Note how the default auth.conf file allows all requests. The rules Nick mentioned need to go before the path /file rule on line 74, otherwise they'll never be reached because "first match wins." I was able to fully work-around the issue by using these rules, also shown in the patch files included in the gist: # JJM Lock down the "files" fileserver mount exported from filserver.conf # Remember, this file is parsed top to bottom and the first match "wins" so # more specific rules need to be above more generalized rules. # The following two rules mean the agent must posses a signed certificate and # must be connecting from the 192.168.0.0/16 subnet. path /file_metadata/files auth yes allow_ip 192.168.0.0/16 path /file_content/files auth yes allow_ip 192.168.0.0/16 # unconditionally allow access to all file services # which means in practice that fileserver.conf will # still be used path /file allow * Please note, I think Nick's original suggestion is slightly incorrect because it should now contain the "allow *.example.com" statement, as this would allow all agents who poses a signed certificate with a CN ending in example.com, regardless of their IP address. If you truly want to authorize based on IP address, please stick with `auth yes`, which means agents must posses a signed, trusted certificate, and allow_ip which will grant access. -Jeff -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
