Jed
2011-Feb-22 21:29 UTC
[Puppet Users] auth.conf & namespaceauth.conf : which files belong on the master , and client?
I''m trying to wrap my head around these files... do both of them need to reside on the client and master? are there any docs that describe these files and what all the option/ sections are and what they do? Thanks all.... -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Denmat
2011-Feb-22 21:58 UTC
Re: [Puppet Users] auth.conf & namespaceauth.conf : which files belong on the master , and client?
I think only on master. This might help you further. http://docs.puppetlabs.com/guides/security.html On 23/02/2011, at 8:29, Jed <jedblack@gmail.com> wrote:> I''m trying to wrap my head around these files... > > do both of them need to reside on the client and master? > > are there any docs that describe these files and what all the option/ > sections are and what they do? > > Thanks all.... > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jed
2011-Feb-22 22:58 UTC
[Puppet Users] Re: auth.conf & namespaceauth.conf : which files belong on the master , and client?
Thanks Denmat... I''ve seen the page already, but its so vague... it doesnt mention anywhere what files belong where... I gather auth.conf would need to be on the puppetmaster... however, from what it says about namespaceauth.conf, it seems that needs to live on the puppet client machines.... not sure.... On Feb 22, 4:58 pm, Denmat <tu2bg...@gmail.com> wrote:> I think only on master. This might help you further.http://docs.puppetlabs.com/guides/security.html > > On 23/02/2011, at 8:29, Jed <jedbl...@gmail.com> wrote: > > > I''m trying to wrap my head around these files... > > > do both of them need to reside on the client and master? > > > are there any docs that describe these files and what all the option/ > > sections are and what they do? > > > Thanks all.... > > > -- > > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Douglas Garstang
2011-Feb-22 23:44 UTC
Re: [Puppet Users] Re: auth.conf & namespaceauth.conf : which files belong on the master , and client?
On Tue, Feb 22, 2011 at 2:58 PM, Jed <jedblack@gmail.com> wrote:> Thanks Denmat... > > I''ve seen the page already, but its so vague... > > it doesnt mention anywhere what files belong where... > > I gather auth.conf would need to be on the puppetmaster... > > however, from what it says about namespaceauth.conf, it seems that > needs to live on the puppet client machines.... > > not sure.... > > On Feb 22, 4:58 pm, Denmat <tu2bg...@gmail.com> wrote: > > I think only on master. This might help you further. > http://docs.puppetlabs.com/guides/security.html > > > > On 23/02/2011, at 8:29, Jed <jedbl...@gmail.com> wrote: > > > > > I''m trying to wrap my head around these files... > > > > > do both of them need to reside on the client and master? > > > > > are there any docs that describe these files and what all the option/ > > > sections are and what they do? > > > > > Thanks all.... >Yeah, it is horribly confusing isn''t it. Glad it''s not just me that can''t quite work it out. Doug -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
tu2Bgone@gmail.com
2011-Feb-23 00:20 UTC
Re: Re: [Puppet Users] Re: auth.conf & namespaceauth.conf : which files belong on the master , and c
From the docs: ---------------------------- auth.conf rest_authconfig = $confdir/auth.conf The auth.conf doesn''t exist by default, but Puppet has some default settings that will be put in place if you don''t create an auth.conf. You''ll see these settings if you run your puppetmaster in debug mode and then connect with a client. --------------------------- namespaceauth.conf authconfig = $confdir/namespaceauth.conf This file controls the http connections to the puppet agent. It is necessary to start the puppet agent with the listen true option. There''s an example namespaceauth.conf file in the puppet source in conf/namespaceauth.conf. ---------------------------- auth.conf: controls access to puppetmaster - lives on puppetmaster namespaceauth.conf: bit harder to discern from doco and the link to the example returns 404. (points to old reductivelabs github) https://github.com/puppetlabs/puppet/blob/master/conf/namespaceauth.conf # This is an example namespaceauth.conf file, # which you''ll need if you want to start a client # in --listen mode. [fileserver] allow *.domain.com [puppetmaster] allow *.domain.com [puppetrunner] allow culain.domain.com [puppetbucket] allow *.domain.com [puppetreports] allow *.domain.com [resource] allow server.domain.com That would be on the client from my reading but I haven''t implemented this at all. On , Douglas Garstang <doug.garstang@gmail.com> wrote:> On Tue, Feb 22, 2011 at 2:58 PM, Jed jedblack@gmail.com> wrote:> Thanks Denmat...> I''ve seen the page already, but its so vague...> it doesnt mention anywhere what files belong where...> I gather auth.conf would need to be on the puppetmaster...> however, from what it says about namespaceauth.conf, it seems that> needs to live on the puppet client machines....> not sure....> On Feb 22, 4:58 pm, Denmat tu2bg...@gmail.com> wrote:> > I think only on master. This might help you > further.http://docs.puppetlabs.com/guides/security.html> >> > On 23/02/2011, at 8:29, Jed jedbl...@gmail.com> wrote:> >> > > I''m trying to wrap my head around these files...> >> > > do both of them need to reside on the client and master?> >> > > are there any docs that describe these files and what all the option/> > > sections are and what they do?> >> > > Thanks all....> Yeah, it is horribly confusing isn''t it. Glad it''s not just me that can''t > quite work it out.> Doug> --> You received this message because you are subscribed to the Google > Groups "Puppet Users" group.> To post to this group, send email to puppet-users@googlegroups.com.> To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com.> For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jed
2011-Feb-23 01:09 UTC
[Puppet Users] Re: auth.conf & namespaceauth.conf : which files belong on the master , and c
ok so I did sometesting.. apparently, this is how it breaks down so far... -PUPPET CLIENT- namespaceauth.conf: you need this or else it dies on startup auth.conf : you do not need this normally, however if you want to do a ''puppetrun'' from the master->client, this files needs to be present and you need to have your puppet master listed in the proper sections (ie. /run), also regarding ''puppetrun'' command, you need the [puppetrunner] section defined in the namespaceauth.conf file on the puppetclient - in that section you need to list your puppetmaster FQDN/ IP. -PUPPET MASTER- namespaceauth.conf: not sure if this is need on the puppet master, i''ll remove it and test. auth.conf: well...this is needed as per the documents. this is where it gets fun [/s] i have a custom spec/rpm built for the puppetmaster/puppetclient, all this happens in once shot (from source its configured/compiled/built and then broken out into a server/client rpm package) -- not a big deal. however, the million dollar question is....will the options for the puppet master and the puppet client (in either file , auth.conf or namespaceauth.conf) conflict? since i would like to use a global version of both files and dist. to the puppetmaster and all puppetclients. Furthermore, it sort of needs to happen like that, since i have a puppetmaster, but on that master the puppet client will be installed so the master can manage itself -- needless to say, the puppetmaster and the puppetclient (on the same machine/instance) store the same config/file/names in the same directory(/etc/puppet) I''m sure it fairly trivial once you know what it is that''s trivial ;-) the puppet docs are just horrible (I hated Cfengine, but dammit, there documentation was anal retentive) for instance... the docs say "ohhh you have an ''auth'' section in the auth.conf file and here are the 8 different values (yes, no ...etc)....however, nowhere, anywhere at all in blogs/sites/wiki and even Turbulls puppet book does it say WHAT THE HELL THOSE OPTIONS MEAN/DO/DONT DO..... ok ok..now i''m venting -- sorry, but its been a long 3-day weekend of trying to get puppet up and running on a last minute time-frame cause i work for a bunch of monkeys(errr managers) with their heads in their #(#*$* On Feb 22, 7:20 pm, tu2Bg...@gmail.com wrote:> From the docs: > ---------------------------- > auth.conf > > rest_authconfig = $confdir/auth.conf > > The auth.conf doesn''t exist by default, but Puppet has some default > settings that will be put in place if you don''t create an auth.conf. You''ll > see these settings if you run your puppetmaster in debug mode and then > connect with a client. > --------------------------- > namespaceauth.conf > > authconfig = $confdir/namespaceauth.conf > > This file controls the http connections to the puppet agent. It is > necessary to start the puppet agent with the listen true option. > > There''s an example namespaceauth.conf file in the puppet source in > conf/namespaceauth.conf. > ---------------------------- > > auth.conf: controls access to puppetmaster - lives on puppetmaster > > namespaceauth.conf: bit harder to discern from doco and the link to the > example returns 404. (points to old reductivelabs github)https://github.com/puppetlabs/puppet/blob/master/conf/namespaceauth.conf > > # This is an example namespaceauth.conf file, > # which you''ll need if you want to start a client > # in --listen mode. > [fileserver] > allow *.domain.com > > [puppetmaster] > allow *.domain.com > > [puppetrunner] > allow culain.domain.com > > [puppetbucket] > allow *.domain.com > > [puppetreports] > allow *.domain.com > > [resource] > allow server.domain.com > > That would be on the client from my reading but I haven''t implemented this > at all. > > On , Douglas Garstang <doug.garst...@gmail.com> wrote: > > > On Tue, Feb 22, 2011 at 2:58 PM, Jed jedbl...@gmail.com> wrote: > > Thanks Denmat... > > I''ve seen the page already, but its so vague... > > it doesnt mention anywhere what files belong where... > > I gather auth.conf would need to be on the puppetmaster... > > however, from what it says about namespaceauth.conf, it seems that > > needs to live on the puppet client machines.... > > not sure.... > > On Feb 22, 4:58 pm, Denmat tu2bg...@gmail.com> wrote: > > > I think only on master. This might help you > > further.http://docs.puppetlabs.com/guides/security.html > > > > On 23/02/2011, at 8:29, Jed jedbl...@gmail.com> wrote: > > > > > I''m trying to wrap my head around these files... > > > > > do both of them need to reside on the client and master? > > > > > are there any docs that describe these files and what all the option/ > > > > sections are and what they do? > > > > > Thanks all.... > > Yeah, it is horribly confusing isn''t it. Glad it''s not just me that can''t > > quite work it out. > > Doug > > -- > > You received this message because you are subscribed to the Google > > Groups "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Douglas Garstang
2011-Feb-23 01:13 UTC
Re: [Puppet Users] Re: auth.conf & namespaceauth.conf : which files belong on the master , and c
On Tue, Feb 22, 2011 at 5:09 PM, Jed <jedblack@gmail.com> wrote:> ok so I did sometesting.. > > > apparently, this is how it breaks down so far... > > -PUPPET CLIENT- > namespaceauth.conf: you need this or else it dies on startup > auth.conf : you do not need this normally, however if you want to do a > ''puppetrun'' from the master->client, this files needs to be present > and you need to have your puppet master listed in the proper sections > (ie. /run), also regarding ''puppetrun'' command, you need the > [puppetrunner] section defined in the namespaceauth.conf file on the > puppetclient - in that section you need to list your puppetmaster FQDN/ > IP. > > -PUPPET MASTER- > namespaceauth.conf: not sure if this is need on the puppet master, > i''ll remove it and test. > auth.conf: well...this is needed as per the documents. > > this is where it gets fun [/s] > > i have a custom spec/rpm built for the puppetmaster/puppetclient, all > this happens in once shot (from source its configured/compiled/built > and then broken out into a server/client rpm package) -- not a big > deal. > > however, the million dollar question is....will the options for the > puppet master and the puppet client (in either file , auth.conf or > namespaceauth.conf) conflict? since i would like to use a global > version of both files and dist. to the puppetmaster and all > puppetclients. Furthermore, it sort of needs to happen like that, > since i have a puppetmaster, but on that master the puppet client will > be installed so the master can manage itself -- needless to say, the > puppetmaster and the puppetclient (on the same machine/instance) store > the same config/file/names in the same directory(/etc/puppet) > > I''m sure it fairly trivial once you know what it is that''s trivial ;-) > > the puppet docs are just horrible (I hated Cfengine, but dammit, there > documentation was anal retentive) > > for instance... the docs say "ohhh you have an ''auth'' section in the > auth.conf file and here are the 8 different values (yes, > no ...etc)....however, nowhere, anywhere at all in blogs/sites/wiki > and even Turbulls puppet book does it say WHAT THE HELL THOSE OPTIONS > MEAN/DO/DONT DO..... > > ok ok..now i''m venting -- sorry, but its been a long 3-day weekend of > trying to get puppet up and running on a last minute time-frame cause > i work for a bunch of monkeys(errr managers) with their heads in their > #(#*$* > >I feel your pain... -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jed
2011-Feb-23 03:56 UTC
[Puppet Users] Re: auth.conf & namespaceauth.conf : which files belong on the master , and c
so even more wierdness.... I moved the auth.conf and the namespaceauth.conf files on the puppetmaster, restarted the puppetmaster daemon in debug mode.....and... no error...not a single one -- puppetclients connect just fine, and puppetrun works correctly... I must be missing something here ....since the docs are saying at least one of these files are needed on the puppetmaster. On Feb 22, 7:20 pm, tu2Bg...@gmail.com wrote:> From the docs: > ---------------------------- > auth.conf > > rest_authconfig = $confdir/auth.conf > > The auth.conf doesn''t exist by default, but Puppet has some default > settings that will be put in place if you don''t create an auth.conf. You''ll > see these settings if you run your puppetmaster in debug mode and then > connect with a client. > --------------------------- > namespaceauth.conf > > authconfig = $confdir/namespaceauth.conf > > This file controls the http connections to the puppet agent. It is > necessary to start the puppet agent with the listen true option. > > There''s an example namespaceauth.conf file in the puppet source in > conf/namespaceauth.conf. > ---------------------------- > > auth.conf: controls access to puppetmaster - lives on puppetmaster > > namespaceauth.conf: bit harder to discern from doco and the link to the > example returns 404. (points to old reductivelabs github)https://github.com/puppetlabs/puppet/blob/master/conf/namespaceauth.conf > > # This is an example namespaceauth.conf file, > # which you''ll need if you want to start a client > # in --listen mode. > [fileserver] > allow *.domain.com > > [puppetmaster] > allow *.domain.com > > [puppetrunner] > allow culain.domain.com > > [puppetbucket] > allow *.domain.com > > [puppetreports] > allow *.domain.com > > [resource] > allow server.domain.com > > That would be on the client from my reading but I haven''t implemented this > at all. > > On , Douglas Garstang <doug.garst...@gmail.com> wrote: > > > On Tue, Feb 22, 2011 at 2:58 PM, Jed jedbl...@gmail.com> wrote: > > Thanks Denmat... > > I''ve seen the page already, but its so vague... > > it doesnt mention anywhere what files belong where... > > I gather auth.conf would need to be on the puppetmaster... > > however, from what it says about namespaceauth.conf, it seems that > > needs to live on the puppet client machines.... > > not sure.... > > On Feb 22, 4:58 pm, Denmat tu2bg...@gmail.com> wrote: > > > I think only on master. This might help you > > further.http://docs.puppetlabs.com/guides/security.html > > > > On 23/02/2011, at 8:29, Jed jedbl...@gmail.com> wrote: > > > > > I''m trying to wrap my head around these files... > > > > > do both of them need to reside on the client and master? > > > > > are there any docs that describe these files and what all the option/ > > > > sections are and what they do? > > > > > Thanks all.... > > Yeah, it is horribly confusing isn''t it. Glad it''s not just me that can''t > > quite work it out. > > Doug > > -- > > You received this message because you are subscribed to the Google > > Groups "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Iain Sutton
2011-Feb-25 05:27 UTC
Re: [Puppet Users] Re: auth.conf & namespaceauth.conf : which files belong on the master , and c
Yep, your experience matches what we see in our setup: The puppetmaster has neither an auth.conf nor a namespaceauth.conf and operates with just one error: we can''t run puppetd on the puppetmaster because namespaceauth.conf is missing... On 23/02/2011, at 2:56 PM, Jed <jedblack@gmail.com> wrote:> so even more wierdness.... > > I moved the auth.conf and the namespaceauth.conf files on the > puppetmaster, restarted the puppetmaster daemon in debug > mode.....and... > > no error...not a single one -- puppetclients connect just fine, and > puppetrun works correctly... > > I must be missing something here ....since the docs are saying at > least one of these files are needed on the puppetmaster. > > On Feb 22, 7:20 pm, tu2Bg...@gmail.com wrote: >> From the docs: >> ---------------------------- >> auth.conf >> >> rest_authconfig = $confdir/auth.conf >> >> The auth.conf doesn''t exist by default, but Puppet has some default >> settings that will be put in place if you don''t create an auth.conf. You''ll >> see these settings if you run your puppetmaster in debug mode and then >> connect with a client. >> --------------------------- >> namespaceauth.conf >> >> authconfig = $confdir/namespaceauth.conf >> >> This file controls the http connections to the puppet agent. It is >> necessary to start the puppet agent with the listen true option. >> >> There''s an example namespaceauth.conf file in the puppet source in >> conf/namespaceauth.conf. >> ---------------------------- >> >> auth.conf: controls access to puppetmaster - lives on puppetmaster >> >> namespaceauth.conf: bit harder to discern from doco and the link to the >> example returns 404. (points to old reductivelabs github)https://github.com/puppetlabs/puppet/blob/master/conf/namespaceauth.conf >> >> # This is an example namespaceauth.conf file, >> # which you''ll need if you want to start a client >> # in --listen mode. >> [fileserver] >> allow *.domain.com >> >> [puppetmaster] >> allow *.domain.com >> >> [puppetrunner] >> allow culain.domain.com >> >> [puppetbucket] >> allow *.domain.com >> >> [puppetreports] >> allow *.domain.com >> >> [resource] >> allow server.domain.com >> >> That would be on the client from my reading but I haven''t implemented this >> at all. >> >> On , Douglas Garstang <doug.garst...@gmail.com> wrote: >> >>> On Tue, Feb 22, 2011 at 2:58 PM, Jed jedbl...@gmail.com> wrote: >>> Thanks Denmat... >>> I''ve seen the page already, but its so vague... >>> it doesnt mention anywhere what files belong where... >>> I gather auth.conf would need to be on the puppetmaster... >>> however, from what it says about namespaceauth.conf, it seems that >>> needs to live on the puppet client machines.... >>> not sure.... >>> On Feb 22, 4:58 pm, Denmat tu2bg...@gmail.com> wrote: >>>> I think only on master. This might help you >>> further.http://docs.puppetlabs.com/guides/security.html >> >>>> On 23/02/2011, at 8:29, Jed jedbl...@gmail.com> wrote: >> >>>>> I''m trying to wrap my head around these files... >> >>>>> do both of them need to reside on the client and master? >> >>>>> are there any docs that describe these files and what all the option/ >>>>> sections are and what they do? >> >>>>> Thanks all.... >>> Yeah, it is horribly confusing isn''t it. Glad it''s not just me that can''t >>> quite work it out. >>> Doug >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Puppet Users" group. >>> To post to this group, send email to puppet-users@googlegroups.com. >>> To unsubscribe from this group, send email to >>> puppet-users+unsubscribe@googlegroups.com. >>> For more options, visit this group at >>> http://groups.google.com/group/puppet-users?hl=en. >> >> > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.