The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:

Bug #4629

puppet run Error 403 on SERVER: Forbidden request

Added by joy huang over 5 years ago. Updated about 5 years ago.

Status:ClosedStart date:08/26/2010
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:plumbing
Target version:-
Affected Puppet version:0.25.0 Branch:
Keywords:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com


Description

puppet master release:puppet-2.6.1rc2

puppet client release:puppet—0.25.5

[root@master ~]# puppetrun -p 10 --host ubunu910.dvmns.com
Triggering ubunu910.dvmns.com
Host ubunu910.dvmns.com failed: Error 403 on SERVER: Forbidden request: ctc92.dvmns.com(221.238.249.92) access to /run/ubunu910.dvmns.com [save] authenticated  at line 0
ubunu910.dvmns.com finished with exit code 2
Failed: ubunu910.dvmns.com

Could someone tell me how to fix this ?

mymail is: wtoppp@hotmail.com

thanks joy


Related issues

Related to Puppet - Feature #4388: Remove the namespaceauth.conf file Closed 07/28/2010

History

#1 Updated by joy huang over 5 years ago

  • Target version set to 2.6.1

#2 Updated by James Turnbull over 5 years ago

  • Status changed from Unreviewed to Needs More Information
  • Target version deleted (2.6.1)
  • Affected Puppet version set to 0.25.0

Can you please run with —trace —verbose —debug and post the output.

#3 Updated by joy huang over 5 years ago

dear james thanks your reply firstly

(1)with trace run:

[root@ctc92 puppet]# puppetrun -p 10 —host ubunu910.dvmns.com --trace
Triggering —host
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/request.rb:169:in `set_uri_key'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/request.rb:80:in `initialize'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:115:in `new'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:115:in `request'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:250:in `save'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:64:in `save'
/usr/lib/ruby/site_ruby/1.8/puppet/application/kick.rb:123:in `run_for_host'
/usr/lib/ruby/site_ruby/1.8/puppet/application/kick.rb:68:in `main'
/usr/lib/ruby/site_ruby/1.8/puppet/application/kick.rb:67:in `fork'
/usr/lib/ruby/site_ruby/1.8/puppet/application/kick.rb:67:in `main'
/usr/lib/ruby/site_ruby/1.8/puppet/application/kick.rb:42:in `run_command'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:300:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:397:in `exit_on_fail'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:300:in `run'
/usr/sbin/puppetrun:4
Host —host failed: Could not understand URL https://—host:8139/production/run/—host: bad URI(is not URI?): https://%E2%80%94host:8139/production/run/%E2%80%94host
Triggering ubunu910.dvmns.com
—host finished with exit code 2
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:57:in `deserialize'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:90:in `save'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:253:in `save'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:64:in `save'
/usr/lib/ruby/site_ruby/1.8/puppet/application/kick.rb:123:in `run_for_host'
/usr/lib/ruby/site_ruby/1.8/puppet/application/kick.rb:68:in `main'
/usr/lib/ruby/site_ruby/1.8/puppet/application/kick.rb:67:in `fork'
/usr/lib/ruby/site_ruby/1.8/puppet/application/kick.rb:67:in `main'
/usr/lib/ruby/site_ruby/1.8/puppet/application/kick.rb:42:in `run_command'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:300:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:397:in `exit_on_fail'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:300:in `run'
/usr/sbin/puppetrun:4
Host ubunu910.dvmns.com failed: Error 403 on SERVER: Forbidden request: ctc92.dvmns.com(221.238.249.92) access to /run/ubunu910.dvmns.com [save] authenticated  at line 0
ubunu910.dvmns.com finished with exit code 2
Failed: —host, ubunu910.dvmns.com

(2)with debug run :

[root@ctc92 puppet]# puppetrun -p 10 —host ubunu910.dvmns.com --debug
Triggering —host
Host —host failed: Could not understand URL https://—host:8139/production/run/—host: bad URI(is not URI?): https://%E2%80%94host:8139/production/run/%E2%80%94host
Triggering ubunu910.dvmns.com
—host finished with exit code 2
Host ubunu910.dvmns.com failed: Error 403 on SERVER: Forbidden request: ctc92.dvmns.com(221.238.249.92) access to /run/ubunu910.dvmns.com [save] authenticated  at line 0
ubunu910.dvmns.com finished with exit code 2
Failed: —host, ubunu910.dvmns.com

thanks joy

#4 Updated by Mohit Chawla over 5 years ago

  • Target version set to 2.6.1

I am experiencing the same problem on 2.6.0-2 master as well as 2.6.0-2 client. Even with allow * under the puppetrunner block in namespaceauth.conf at the client, gives this error. Doing an allow server.name.com for path / on the client in auth.conf works. Is namespaceauth.conf being disregarded ?

#5 Updated by Mohit Chawla over 5 years ago

For the time being I have just added the following in auth.conf (and created an empty namespaceauth.conf otherwise puppet refuses to start in the listen mode)

path /run
allow server.name.com

#6 Updated by James Turnbull over 5 years ago

  • Category set to plumbing
  • Status changed from Needs More Information to Accepted

#7 Updated by James Turnbull over 5 years ago

Hi Mohit – can you show me the errors you’ve got when you run without that line in auth? Same as above? Also the error you get without the namespaceauth.conf file (—debug —trace) etc?

Thanks!

#8 Updated by Mohit Chawla over 5 years ago

Hi,

1) With just the namespaceauth.conf present with the following block:

[puppetrunner]
allow foo.server

, puppetrun —host foo.client —trace shows:

root@foo.server:~# puppetrun --host foo.client --trace
Triggering foo.client
/usr/lib/ruby/1.8/puppet/indirector/rest.rb:57:in `deserialize'
/usr/lib/ruby/1.8/puppet/indirector/rest.rb:90:in `save'
/usr/lib/ruby/1.8/puppet/indirector/indirection.rb:253:in `save'
/usr/lib/ruby/1.8/puppet/indirector.rb:64:in `save'
/usr/lib/ruby/1.8/puppet/application/kick.rb:123:in `run_for_host'
/usr/lib/ruby/1.8/puppet/application/kick.rb:68:in `main'
/usr/lib/ruby/1.8/puppet/application/kick.rb:67:in `fork'
/usr/lib/ruby/1.8/puppet/application/kick.rb:67:in `main'
/usr/lib/ruby/1.8/puppet/application/kick.rb:42:in `run_command'
/usr/lib/ruby/1.8/puppet/application.rb:301:in `run'
/usr/lib/ruby/1.8/puppet/application.rb:398:in `exit_on_fail'
/usr/lib/ruby/1.8/puppet/application.rb:301:in `run'
/usr/sbin/puppetrun:4
Host foo.client failed: Error 403 on SERVER: Forbidden request: foo.server(192.168.24.32) access to /run/foo.client [save] authenticated  at line 0
foo.client finished with exit code 2
Failed: foo.client

, puppetrun with debug shows the same 403 error.

The client reports the same message after puppet has inserted the various default acl rules.

I am not getting the bad url error as posted above by Joy Huang.

2) With auth.conf present, but no namespaceauth.conf, then at the client:

2010-09-08_05:24:07.34024 err: Will not start without authorization file /etc/puppet/namespaceauth.conf

Not sure if debug & trace can provide any more information, but here it is:

2010-09-08_05:31:10.95062 debug: Failed to load library 'rubygems' for feature 'rubygems'
2010-09-08_05:31:10.95862 debug: Failed to load library 'selinux' for feature 'selinux'
2010-09-08_05:31:10.98444 debug: Puppet::Type::User::ProviderPw: file pw does not exist
2010-09-08_05:31:10.98495 debug: Failed to load library 'ldap' for feature 'ldap'
2010-09-08_05:31:10.98522 debug: Puppet::Type::User::ProviderLdap: feature ldap is missing
2010-09-08_05:31:10.98556 debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist
2010-09-08_05:31:10.99829 debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist
2010-09-08_05:31:11.01708 debug: Puppet::Type::File::ProviderMicrosoft_windows: feature microsoft_windows is missing
2010-09-08_05:31:11.06040 debug: /File[/var/lib/puppet/ssl/private_keys/foo.client.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys]
2010-09-08_05:31:11.06131 debug: /File[/var/log/puppet/http.log]: Autorequiring File[/var/log/puppet]
2010-09-08_05:31:11.06224 debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.06296 debug: /File[/var/lib/puppet/client_data]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.06370 debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.06442 debug: /File[/var/lib/puppet/state/graphs]: Autorequiring File[/var/lib/puppet/state]
2010-09-08_05:31:11.06525 debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.06609 debug: /File[/var/lib/puppet/state/classes.txt]: Autorequiring File[/var/lib/puppet/state]
2010-09-08_05:31:11.06698 debug: /Filecommit:/var/lib/puppet/ssl/certificate_requests: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.06819 debug: /Filecommit:/var/lib/puppet/ssl/certs/foo.client.pem: Autorequiring File[/var/lib/puppet/ssl/certs]
2010-09-08_05:31:11.06889 debug: /File[/var/lib/puppet/clientbucket]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.06973 debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.07059 debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.07147 debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.07231 debug: /File[/var/lib/puppet/ssl/public_keys/foo.client.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys]
2010-09-08_05:31:11.07315 debug: /File[/var/lib/puppet/ssl/crl.pem]: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.07400 debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/certs]
2010-09-08_05:31:11.07520 debug: /File[/var/lib/puppet/reports]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.07593 debug: /File[/var/lib/puppet/client_yaml]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.07663 debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.07735 debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet]
2010-09-08_05:31:11.07822 debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.07895 debug: /File[/var/lib/puppet/state/state.yaml]: Autorequiring File[/var/lib/puppet/state]
2010-09-08_05:31:11.10647 debug: Finishing transaction -614113368
2010-09-08_05:31:11.14983 debug: /File[/var/lib/puppet/ssl/crl.pem]: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.15063 debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.15148 debug: /File[/var/log/puppet/http.log]: Autorequiring File[/var/log/puppet]
2010-09-08_05:31:11.15233 debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/certs]
2010-09-08_05:31:11.15317 debug: /File[/var/lib/puppet/ssl/private_keys/foo.client.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys]
2010-09-08_05:31:11.15399 debug: /Filecommit:/var/lib/puppet/ssl/certs/foo.client.pem: Autorequiring File[/var/lib/puppet/ssl/certs]
2010-09-08_05:31:11.15473 debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.15559 debug: /Filecommit:/var/lib/puppet/ssl/certificate_requests: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.15675 debug: /File[/var/lib/puppet/reports]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.15763 debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.15851 debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.15943 debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
2010-09-08_05:31:11.16046 debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.16131 debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.16218 debug: /File[/var/lib/puppet/ssl/public_keys/foo.client.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys]
2010-09-08_05:31:11.16323 debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl]
2010-09-08_05:31:11.18354 debug: Finishing transaction -614558908
2010-09-08_05:31:11.18593 debug: Using cached certificate for ca
2010-09-08_05:31:11.18653 debug: Using cached certificate for foo.client
2010-09-08_05:31:11.18705 err: Will not start without authorization file /etc/puppet/namespaceauth.conf

3) With auth.conf present, one can have anything (or nothing) in namespaceauth.conf, but it will be disregarded.

#9 Updated by James Turnbull over 5 years ago

Joy – I think your command line is incorrect:

puppetrun -p 10 —host ubunu910.dvmns.com --debug

Should be:

puppetrun -p 10 --host ubunu910.dvmns.com --debug

#10 Updated by James Turnbull over 5 years ago

  • Target version changed from 2.6.1 to 2.6.2

#11 Updated by Markus Roberts over 5 years ago

  • Status changed from Accepted to Rejected

This was an operator error, as James noted above.

#12 Updated by Markus Roberts over 5 years ago

  • Status changed from Rejected to Accepted

My bad. There are actually three issues here:

1) The unicode em-dash vs. “—” question 2) Mohit’s namespaceauth.conf vs. auth.conf question 3) Joy’s original question.

#13 Updated by Matt Robinson over 5 years ago

  • Status changed from Accepted to Closed
  1. The unicode em-dash vs. “—” question – Resolved
  2. Mohit’s namespaceauth.conf vs. auth.conf question namespaceauth.conf needs to be removed from consideration in the code and auth.conf used instead (ticket #4388). Mohit’s workaround of creating the empty namespaceauth.conf and putting the

    path /run auth no # you may or may not want this depending on who you want to be able to trigger puppet runs allow server.name.com

in auth.conf is a good one for now.

  1. Joy’s original question – Joy had problems 1 and 2. Once he gets the dash figured out and updates his auth.conf with an empty namespaceauth.conf it should work.

Joy, please reopen and update this ticket with details if you still have problems.

#14 Updated by Matt Robinson over 5 years ago

In case anyone find this again there may be issues with trying to do a “puppet run” or kick from a 2.6.x puppet to a 0.25.x client. Maybe that’s what was giving someone trouble?

Also there’s some documentation of the security of the auth.conf and namespaceauth.conf here http://docs.puppetlabs.com/guides/security.html#authconf and you can simulate a puppet run command with a curl command, at least on a 2.6.x client.

http://docs.puppetlabs.com/guides/rest_api.html#puppet_agent_rest_api_reference curl -k -X PUT -H “Content-Type: text/pson” -d “{}” https://puppetclient:8139/production/run/{anything}

#15 Updated by Oli W over 5 years ago

  • Status changed from Closed to Re-opened
  • Target version changed from 2.6.2 to 4

Hi,

I have a very similar issue.

I have installed puppetmaster 2.6.1 on ubuntu 10.10, puppet client 0.25.5 on SLES9 and puppet client 2.6.1 on ubuntu 10.10.

I have the following configs on the clients:

auth.conf

path /run
method save
allow *

namespaceauth.conf is empty!

running the kick command from the master gives the following error for the sles9 host:

root@puppet:/etc/puppet/files# puppet kick --trace --host sles9test1.vegagroup.net --debug
Triggering sles9test1.vegagroup.net
/usr/lib/ruby/1.8/puppet/indirector/rest.rb:57:in `deserialize'
/usr/lib/ruby/1.8/puppet/indirector/rest.rb:90:in `save'
/usr/lib/ruby/1.8/puppet/indirector/indirection.rb:253:in `save'
/usr/lib/ruby/1.8/puppet/indirector.rb:64:in `save'
/usr/lib/ruby/1.8/puppet/application/kick.rb:123:in `run_for_host'
/usr/lib/ruby/1.8/puppet/application/kick.rb:68:in `main'
/usr/lib/ruby/1.8/puppet/application/kick.rb:67:in `fork'
/usr/lib/ruby/1.8/puppet/application/kick.rb:67:in `main'
/usr/lib/ruby/1.8/puppet/application/kick.rb:42:in `run_command'
/usr/lib/ruby/1.8/puppet/application.rb:300:in `run'
/usr/lib/ruby/1.8/puppet/application.rb:397:in `exit_on_fail'
/usr/lib/ruby/1.8/puppet/application.rb:300:in `run'
/usr/lib/ruby/1.8/puppet/util/command_line.rb:55:in `execute'
/usr/bin/puppet:4
Host sles9test1.vegagroup.net failed: Error 400 on SERVER: Could not find indirection 'run'
sles9test1.vegagroup.net finished with exit code 2
Failed: sles9test1.vegagroup.net

Doing the same for the 2.6.1 client works fine. I could try to update the client on sles9 since there is no rpm but this will be quite hard since sles9 has very outdated packages and sles9 is our main linux OS. :(

Is 0.25.5 not compatible with 2.6.1?

#16 Updated by Oli W over 5 years ago

Ok,

build a 2.6.4 rpm for sles9 was a piece of cake. I used the src rpm from the opensuse build service. Now everything works.

Great piece of software!

Thumbs up!

#17 Updated by Oli W over 5 years ago

  • Status changed from Re-opened to Closed

#18 Updated by James Turnbull about 5 years ago

  • Target version deleted (4)

Also available in: Atom PDF