Bug #4629
puppet run Error 403 on SERVER: Forbidden request
| Status: | Closed | Start date: | 08/26/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | plumbing | |||
| Target version: | - | |||
| Affected Puppet version: | 0.25.0 | Branch: | ||
| Keywords: | ||||
| Votes: | 1 |
Description
puppet master release:puppet-2.6.1rc2
puppet client release:puppet—0.25.5
[root@master ~]# puppetrun -p 10 --host ubunu910.dvmns.com Triggering ubunu910.dvmns.com Host ubunu910.dvmns.com failed: Error 403 on SERVER: Forbidden request: ctc92.dvmns.com(221.238.249.92) access to /run/ubunu910.dvmns.com [save] authenticated at line 0 ubunu910.dvmns.com finished with exit code 2 Failed: ubunu910.dvmns.com
Could someone tell me how to fix this ?
mymail is: wtoppp@hotmail.com
thanks joy
Related issues
History
Updated by joy huang over 1 year ago
- Target version set to 2.6.1
Updated by James Turnbull over 1 year ago
- Status changed from Unreviewed to Needs More Information
- Target version deleted (
2.6.1) - Affected Puppet version set to 0.25.0
Can you please run with —trace —verbose —debug and post the output.
Updated by joy huang over 1 year ago
dear james thanks your reply firstly
(1)with trace run:
[root@ctc92 puppet]# puppetrun -p 10 —host ubunu910.dvmns.com --trace Triggering —host /usr/lib/ruby/site_ruby/1.8/puppet/indirector/request.rb:169:in `set_uri_key' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/request.rb:80:in `initialize' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:115:in `new' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:115:in `request' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:250:in `save' /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:64:in `save' /usr/lib/ruby/site_ruby/1.8/puppet/application/kick.rb:123:in `run_for_host' /usr/lib/ruby/site_ruby/1.8/puppet/application/kick.rb:68:in `main' /usr/lib/ruby/site_ruby/1.8/puppet/application/kick.rb:67:in `fork' /usr/lib/ruby/site_ruby/1.8/puppet/application/kick.rb:67:in `main' /usr/lib/ruby/site_ruby/1.8/puppet/application/kick.rb:42:in `run_command' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:300:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:397:in `exit_on_fail' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:300:in `run' /usr/sbin/puppetrun:4 Host —host failed: Could not understand URL https://—host:8139/production/run/—host: bad URI(is not URI?): https://%E2%80%94host:8139/production/run/%E2%80%94host Triggering ubunu910.dvmns.com —host finished with exit code 2 /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:57:in `deserialize' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:90:in `save' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:253:in `save' /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:64:in `save' /usr/lib/ruby/site_ruby/1.8/puppet/application/kick.rb:123:in `run_for_host' /usr/lib/ruby/site_ruby/1.8/puppet/application/kick.rb:68:in `main' /usr/lib/ruby/site_ruby/1.8/puppet/application/kick.rb:67:in `fork' /usr/lib/ruby/site_ruby/1.8/puppet/application/kick.rb:67:in `main' /usr/lib/ruby/site_ruby/1.8/puppet/application/kick.rb:42:in `run_command' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:300:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:397:in `exit_on_fail' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:300:in `run' /usr/sbin/puppetrun:4 Host ubunu910.dvmns.com failed: Error 403 on SERVER: Forbidden request: ctc92.dvmns.com(221.238.249.92) access to /run/ubunu910.dvmns.com [save] authenticated at line 0 ubunu910.dvmns.com finished with exit code 2 Failed: —host, ubunu910.dvmns.com
(2)with debug run :
[root@ctc92 puppet]# puppetrun -p 10 —host ubunu910.dvmns.com --debug Triggering —host Host —host failed: Could not understand URL https://—host:8139/production/run/—host: bad URI(is not URI?): https://%E2%80%94host:8139/production/run/%E2%80%94host Triggering ubunu910.dvmns.com —host finished with exit code 2 Host ubunu910.dvmns.com failed: Error 403 on SERVER: Forbidden request: ctc92.dvmns.com(221.238.249.92) access to /run/ubunu910.dvmns.com [save] authenticated at line 0 ubunu910.dvmns.com finished with exit code 2 Failed: —host, ubunu910.dvmns.com
thanks joy
Updated by Mohit Chawla over 1 year ago
- Target version set to 2.6.1
I am experiencing the same problem on 2.6.0-2 master as well as 2.6.0-2 client. Even with allow * under the puppetrunner block in namespaceauth.conf at the client, gives this error. Doing an allow server.name.com for path / on the client in auth.conf works. Is namespaceauth.conf being disregarded ?
Updated by Mohit Chawla over 1 year ago
For the time being I have just added the following in auth.conf (and created an empty namespaceauth.conf otherwise puppet refuses to start in the listen mode)
path /run
allow server.name.com
Updated by James Turnbull over 1 year ago
- Category set to plumbing
- Status changed from Needs More Information to Accepted
Updated by James Turnbull over 1 year ago
Hi Mohit – can you show me the errors you’ve got when you run without that line in auth? Same as above? Also the error you get without the namespaceauth.conf file (—debug —trace) etc?
Thanks!
Updated by Mohit Chawla over 1 year ago
Hi,
1) With just the namespaceauth.conf present with the following block:
[puppetrunner]
allow foo.server
, puppetrun —host foo.client —trace shows:
root@foo.server:~# puppetrun --host foo.client --trace
Triggering foo.client
/usr/lib/ruby/1.8/puppet/indirector/rest.rb:57:in `deserialize'
/usr/lib/ruby/1.8/puppet/indirector/rest.rb:90:in `save'
/usr/lib/ruby/1.8/puppet/indirector/indirection.rb:253:in `save'
/usr/lib/ruby/1.8/puppet/indirector.rb:64:in `save'
/usr/lib/ruby/1.8/puppet/application/kick.rb:123:in `run_for_host'
/usr/lib/ruby/1.8/puppet/application/kick.rb:68:in `main'
/usr/lib/ruby/1.8/puppet/application/kick.rb:67:in `fork'
/usr/lib/ruby/1.8/puppet/application/kick.rb:67:in `main'
/usr/lib/ruby/1.8/puppet/application/kick.rb:42:in `run_command'
/usr/lib/ruby/1.8/puppet/application.rb:301:in `run'
/usr/lib/ruby/1.8/puppet/application.rb:398:in `exit_on_fail'
/usr/lib/ruby/1.8/puppet/application.rb:301:in `run'
/usr/sbin/puppetrun:4
Host foo.client failed: Error 403 on SERVER: Forbidden request: foo.server(192.168.24.32) access to /run/foo.client [save] authenticated at line 0
foo.client finished with exit code 2
Failed: foo.client
, puppetrun with debug shows the same 403 error.
The client reports the same message after puppet has inserted the various default acl rules.
I am not getting the bad url error as posted above by Joy Huang.
2) With auth.conf present, but no namespaceauth.conf, then at the client:
2010-09-08_05:24:07.34024 err: Will not start without authorization file /etc/puppet/namespaceauth.conf
Not sure if debug & trace can provide any more information, but here it is:
2010-09-08_05:31:10.95062 debug: Failed to load library 'rubygems' for feature 'rubygems'
2010-09-08_05:31:10.95862 debug: Failed to load library 'selinux' for feature 'selinux'
2010-09-08_05:31:10.98444 debug: Puppet::Type::User::ProviderPw: file pw does not exist
2010-09-08_05:31:10.98495 debug: Failed to load library 'ldap' for feature 'ldap'
2010-09-08_05:31:10.98522 debug: Puppet::Type::User::ProviderLdap: feature ldap is missing
2010-09-08_05:31:10.98556 debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist
2010-09-08_05:31:10.99829 debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist
2010-09-08_05:31:11.01708 debug: Puppet::Type::File::ProviderMicrosoft_windows: feature microsoft_windows is missing
2010-09-08_05:31:11.06040 debug: /File[/var/lib/puppet/ssl/private_keys/foo.client.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys]
2010-09-08_05:31:11.06131 debug: /File[/var/log/puppet/http.log]: Autorequiring File[/var/log/puppet]
2010-09-08_05:31:11.06224 debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.06296 debug: /File[/var/lib/puppet/client_data]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.06370 debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.06442 debug: /File[/var/lib/puppet/state/graphs]: Autorequiring File[/var/lib/puppet/state]
2010-09-08_05:31:11.06525 debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.06609 debug: /File[/var/lib/puppet/state/classes.txt]: Autorequiring File[/var/lib/puppet/state]
2010-09-08_05:31:11.06698 debug: /Filecommit:/var/lib/puppet/ssl/certificate_requests: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.06819 debug: /Filecommit:/var/lib/puppet/ssl/certs/foo.client.pem: Autorequiring File[/var/lib/puppet/ssl/certs]
2010-09-08_05:31:11.06889 debug: /File[/var/lib/puppet/clientbucket]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.06973 debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.07059 debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.07147 debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.07231 debug: /File[/var/lib/puppet/ssl/public_keys/foo.client.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys]
2010-09-08_05:31:11.07315 debug: /File[/var/lib/puppet/ssl/crl.pem]: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.07400 debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/certs]
2010-09-08_05:31:11.07520 debug: /File[/var/lib/puppet/reports]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.07593 debug: /File[/var/lib/puppet/client_yaml]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.07663 debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.07735 debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet]
2010-09-08_05:31:11.07822 debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.07895 debug: /File[/var/lib/puppet/state/state.yaml]: Autorequiring File[/var/lib/puppet/state]
2010-09-08_05:31:11.10647 debug: Finishing transaction -614113368
2010-09-08_05:31:11.14983 debug: /File[/var/lib/puppet/ssl/crl.pem]: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.15063 debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.15148 debug: /File[/var/log/puppet/http.log]: Autorequiring File[/var/log/puppet]
2010-09-08_05:31:11.15233 debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/certs]
2010-09-08_05:31:11.15317 debug: /File[/var/lib/puppet/ssl/private_keys/foo.client.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys]
2010-09-08_05:31:11.15399 debug: /Filecommit:/var/lib/puppet/ssl/certs/foo.client.pem: Autorequiring File[/var/lib/puppet/ssl/certs]
2010-09-08_05:31:11.15473 debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.15559 debug: /Filecommit:/var/lib/puppet/ssl/certificate_requests: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.15675 debug: /File[/var/lib/puppet/reports]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.15763 debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.15851 debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.15943 debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.16046 debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.16131 debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.16218 debug: /File[/var/lib/puppet/ssl/public_keys/foo.client.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys]
2010-09-08_05:31:11.16323 debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.18354 debug: Finishing transaction -614558908
2010-09-08_05:31:11.18593 debug: Using cached certificate for ca
2010-09-08_05:31:11.18653 debug: Using cached certificate for foo.client
2010-09-08_05:31:11.18705 err: Will not start without authorization file /etc/puppet/namespaceauth.conf
3) With auth.conf present, one can have anything (or nothing) in namespaceauth.conf, but it will be disregarded.
Updated by James Turnbull over 1 year ago
Joy – I think your command line is incorrect:
puppetrun -p 10 —host ubunu910.dvmns.com --debug
Should be:
puppetrun -p 10 --host ubunu910.dvmns.com --debug
Updated by James Turnbull over 1 year ago
- Target version changed from 2.6.1 to 2.6.2
Updated by Markus Roberts over 1 year ago
- Status changed from Accepted to Rejected
This was an operator error, as James noted above.
Updated by Markus Roberts over 1 year ago
- Status changed from Rejected to Accepted
My bad. There are actually three issues here:
1) The unicode em-dash vs. “—” question 2) Mohit’s namespaceauth.conf vs. auth.conf question 3) Joy’s original question.
Updated by Matt Robinson over 1 year ago
- Status changed from Accepted to Closed
- The unicode em-dash vs. “—” question – Resolved
Mohit’s namespaceauth.conf vs. auth.conf question namespaceauth.conf needs to be removed from consideration in the code and auth.conf used instead (ticket #4388). Mohit’s workaround of creating the empty namespaceauth.conf and putting the
path /run auth no # you may or may not want this depending on who you want to be able to trigger puppet runs allow server.name.com
in auth.conf is a good one for now.
- Joy’s original question – Joy had problems 1 and 2. Once he gets the dash figured out and updates his auth.conf with an empty namespaceauth.conf it should work.
Joy, please reopen and update this ticket with details if you still have problems.
Updated by Matt Robinson over 1 year ago
In case anyone find this again there may be issues with trying to do a “puppet run” or kick from a 2.6.x puppet to a 0.25.x client. Maybe that’s what was giving someone trouble?
Also there’s some documentation of the security of the auth.conf and namespaceauth.conf here http://docs.puppetlabs.com/guides/security.html#authconf and you can simulate a puppet run command with a curl command, at least on a 2.6.x client.
http://docs.puppetlabs.com/guides/rest_api.html#puppet_agent_rest_api_reference curl -k -X PUT -H “Content-Type: text/pson” -d “{}” https://puppetclient:8139/production/run/{anything}
Updated by Oli W about 1 year ago
- Status changed from Closed to Re-opened
- Target version changed from 2.6.2 to 4
Hi,
I have a very similar issue.
I have installed puppetmaster 2.6.1 on ubuntu 10.10, puppet client 0.25.5 on SLES9 and puppet client 2.6.1 on ubuntu 10.10.
I have the following configs on the clients:
auth.conf¶
path /run method save allow *
namespaceauth.conf is empty!
running the kick command from the master gives the following error for the sles9 host:
root@puppet:/etc/puppet/files# puppet kick --trace --host sles9test1.vegagroup.net --debug Triggering sles9test1.vegagroup.net /usr/lib/ruby/1.8/puppet/indirector/rest.rb:57:in `deserialize' /usr/lib/ruby/1.8/puppet/indirector/rest.rb:90:in `save' /usr/lib/ruby/1.8/puppet/indirector/indirection.rb:253:in `save' /usr/lib/ruby/1.8/puppet/indirector.rb:64:in `save' /usr/lib/ruby/1.8/puppet/application/kick.rb:123:in `run_for_host' /usr/lib/ruby/1.8/puppet/application/kick.rb:68:in `main' /usr/lib/ruby/1.8/puppet/application/kick.rb:67:in `fork' /usr/lib/ruby/1.8/puppet/application/kick.rb:67:in `main' /usr/lib/ruby/1.8/puppet/application/kick.rb:42:in `run_command' /usr/lib/ruby/1.8/puppet/application.rb:300:in `run' /usr/lib/ruby/1.8/puppet/application.rb:397:in `exit_on_fail' /usr/lib/ruby/1.8/puppet/application.rb:300:in `run' /usr/lib/ruby/1.8/puppet/util/command_line.rb:55:in `execute' /usr/bin/puppet:4 Host sles9test1.vegagroup.net failed: Error 400 on SERVER: Could not find indirection 'run' sles9test1.vegagroup.net finished with exit code 2 Failed: sles9test1.vegagroup.net
Doing the same for the 2.6.1 client works fine. I could try to update the client on sles9 since there is no rpm but this will be quite hard since sles9 has very outdated packages and sles9 is our main linux OS. :(
Is 0.25.5 not compatible with 2.6.1?
Updated by Oli W about 1 year ago
Ok,
build a 2.6.4 rpm for sles9 was a piece of cake. I used the src rpm from the opensuse build service. Now everything works.
Great piece of software!
Thumbs up!
Updated by Oli W about 1 year ago
- Status changed from Re-opened to Closed
Updated by James Turnbull 11 months ago
- Target version deleted (
4)