linux – 当master从命令行运行时,puppet master REST API在乘客工作时返回403

概述我正在使用puppet install中提供的标准auth.conf,用于通过Nginx下的乘客运行的puppet master.但是对于大多数目录,文件和证书请求,我得到403响应. ### Authenticated paths - these apply only when the client### has a valid certificate and is thus authenti 我正在使用puppet install中提供的标准auth.conf,用于通过Nginx下的乘客运行的puppet master.但是对于大多数目录,文件和证书请求,我得到403响应.

### Authenticated paths - these apply only when the clIEnt### has a valID certificate and is thus authenticated# allow nodes to retrIEve their own catalogpath ~ ^/catalog/([^/]+)$method findallow # allow nodes to retrIEve their own node deFinitionpath ~ ^/node/([^/]+)$method findallow # allow all nodes to access the certificates servicespath ~ ^/certificate_revocation_List/camethod find allow *# allow all nodes to store their reportspath /reportmethod saveallow *# unconditionally allow access to all file services# which means in practice that fileserver.conf will# still be usedpath /fileallow *### Unauthenticated ACL,for clIEnts for which the current master doesn't### have a valID certificate; we allow authenticated users,too,because### there isn't a great harm in letting that request through.# allow access to the master CApath /certificate/caauth anymethod findallow *path /certificate/auth anymethod findallow *path /certificate_requestauth anymethod find,saveallow *path /factsauth anymethod find,searchallow *# this one is not stricly necessary,but it has the merit# of showing the default policy,which is deny everything elsepath /auth any

然而,当我在客户端上收到此错误时,Puppet master似乎没有跟随此

[amisr1@blramisr195602 ~]$sudo puppet agent --no-daemonize --verbose --server bangvmpllda02.XXXXX.com[sudo] password for amisr1: Starting Puppet clIEnt version 3.0.1Warning: Unable to fetch my node deFinition,but the agent run will continue:Warning: Error 403 on SERVER: ForbIDden request: XX.XXX.XX.XX(XX.XXX.XX.XX) access to /certificate_revocation_List/ca [find] at :110Info: RetrIEving pluginError: /file[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: Error 403 on SERVER: ForbIDden request: XX.XXX.XX.XX(XX.XXX.XX.XX) access to /file_Metadata/plugins [search] at :110Error: /file[/var/lib/puppet/lib]: Could not evaluate: Error 403 on SERVER: ForbIDden request: XX.XXX.XX.XX(XX.XXX.XX.XX) access to /file_Metadata/plugins [find] at :110 Could not retrIEve file Metadata for puppet://devops.XXXXX.com/plugins: Error 403 on SERVER: ForbIDden request: XX.XXX.XX.XX(XX.XXX.XX.XX) access to /file_Metadata/plugins [find] at :110Error: Could not retrIEve catalog from Remote Server: Error 403 on SERVER: ForbIDden request: XX.XXX.XX.XX(XX.XXX.XX.XX) access to /catalog/blramisr195602.XXXXX.com [find] at :110Using cached catalogError: Could not retrIEve catalog; skipPing runError: Could not send report: Error 403 on SERVER: ForbIDden request: XX.XXX.XX.XX(XX.XXX.XX.XX) access to /report/blramisr195602.XXXXX.com [save] at :110

和服务器日志显示

XX.XXX.XX.XX - - [10/Dec/2012:14:46:52 +0530] "GET /production/certificate_revocation_List/ca? http/1.1" 403 102 "-" "Ruby"XX.XXX.XX.XX - - [10/Dec/2012:14:46:52 +0530] "GET /production/file_Metadatas/plugins?links=manage&recurse=true&&ignore=---+%0A++-+%22.svn%22%0A++-+CVS%0A++-+%22.git%22&checksum_type=md5 http/1.1" 403 95 "-" "Ruby"XX.XXX.XX.XX - - [10/Dec/2012:14:46:52 +0530] "GET /production/file_Metadata/plugins? http/1.1" 403 93 "-" "Ruby"XX.XXX.XX.XX - - [10/Dec/2012:14:46:53 +0530] "POST /production/catalog/blramisr195602.XXXXX.com http/1.1" 403 106 "-" "Ruby"XX.XXX.XX.XX - - [10/Dec/2012:14:46:53 +0530] "PUT /production/report/blramisr195602.XXXXX.com http/1.1" 403 105 "-" "Ruby"

文件服务器配置文件如下(并按照他们在puppet站点上的说法进行 *** 作,最好在auth.conf中调节访问以获取文件服务器,然后允许文件服务器到服务器全部)

[files]  path /apps/puppet/files  allow *[private]  path /apps/puppet/private/%H  allow *[modules]  allow *

我使用的是服务器和客户端版本3

Nginx已使用以下选项编译

Nginx version: Nginx/1.3.9built by gcc 4.4.6 20120305 (Red Hat 4.4.6-4) (GCC) TLS SNI support enabledconfigure arguments: --prefix=/apps/Nginx --conf-path=/apps/Nginx/Nginx.conf --pID-path=/apps/Nginx/run/Nginx.pID --error-log-path=/apps/Nginx/logs/error.log --http-log-path=/apps/Nginx/logs/access.log --with-http_ssl_module --with-http_gzip_static_module --add-module=/usr/lib/ruby/gems/1.8/gems/passenger-3.0.18/ext/Nginx --add-module=/apps/Downloads/Nginx/Nginx-auth-ldap-master/

和标准的Nginx puppet master conf

server {ssl                on;Listen                     8140 ssl;server_name        _;passenger_enabled          on;passenger_set_cgi_param    http_X_CLIENT_DN $ssl_clIEnt_s_dn; passenger_set_cgi_param    http_X_CLIENT_VERIFY $ssl_clIEnt_verify; passenger_min_instances    5;access_log                 logs/puppet_access.log;error_log                  logs/puppet_error.log;root                       /apps/Nginx/HTML/rack/public;ssl_certificate            /var/lib/puppet/ssl/certs/bangvmpllda02.XXXXXX.com.pem;ssl_certificate_key        /var/lib/puppet/ssl/private_keys/bangvmpllda02.XXXXXX.com.pem;ssl_crl                    /var/lib/puppet/ssl/ca/ca_crl.pem;ssl_clIEnt_certificate     /var/lib/puppet/ssl/certs/ca.pem;ssl_ciphers                SSLv2:-LOW:-EXPORT:RC4+RSA;ssl_prefer_server_ciphers  on;ssl_verify_clIEnt          optional;ssl_verify_depth           1;ssl_session_cache          shared:SSL:128m;ssl_session_timeout        5m;}

Puppet正在从提到的文件中获取正确的设置,因为config print命令指向/ etc / puppet

[amisr1@bangvmpllDA02 puppet]$sudo puppet config print | grep confasync_storeconfigs = falseauthconfig = /etc/puppet/namespaceauth.confautosign = /etc/puppet/autosign.confcatalog_cache_terminus = store_configsconfdir = /etc/puppetconfig = /etc/puppet/puppet.confconfig_file_name = puppet.confconfig_version = ""configprint = allconfigtimeout = 120dblocation = /var/lib/puppet/state/clIEntconfigs.sqlite3deviceconfig = /etc/puppet/device.conffileserverconfig = /etc/puppet/fileserver.confgenconfig = falsehIEra_config = /etc/puppet/hIEra.yamllocalconfig = /var/lib/puppet/state/localconfigname = configrest_authconfig = /etc/puppet/auth.confstoreconfigs = truestoreconfigs_backend = puppetdbtagmap = /etc/puppet/tagmail.confthin_storeconfigs = false

我检查了这个VM上的防火墙规则;允许80,443,8140,3000.我是否还需要调整auth.conf的任何细节才能使其正常工作？

更新

我在puppet master中添加了详细的日志记录并重新启动了Nginx;这是我在日志中看到的其他信息

Mon Dec 10 18:19:15 +0530 2012 Puppet (err): Could not resolve 10.209.47.31: no name for 10.209.47.31Mon Dec 10 18:19:15 +0530 2012 access[/] (info): defaulting to no access for 10.209.47.31Mon Dec 10 18:19:15 +0530 2012 Puppet (warning): Denying access: ForbIDden request: 10.209.47.31(10.209.47.31) access to /file_Metadata/plugins [find] at :111Mon Dec 10 18:19:15 +0530 2012 Puppet (err): ForbIDden request: 10.209.47.31(10.209.47.31) access to /file_Metadata/plugins [find] at :11110.209.47.31 - - [10/Dec/2012:18:19:15 +0530] "GET /production/file_Metadata/plugins? http/1.1" 403 93 "-" "Ruby"

在代理机器上,facter fqdn和hostname都返回一个完全限定的主机名

[amisr1@blramisr195602 ~]$sudo facter fqdnblramisr195602.XXXXXXX.com

然后,我更新了要添加的代理配置

dns_alt_names = 10.209.47.31

清除master和agent上的所有证书并重新生成证书,并使用选项–allow-dns-alt-names在master上签名

[amisr1@bangvmpllDA02 ~]$sudo puppet cert sign blramisr195602.XXXXXX.comError: CSR 'blramisr195602.XXXXXX.com' contains subject alternative names (DNS:10.209.47.31,DNS:blramisr195602.XXXXXX.com),which are disallowed. Use `puppet cert --allow-dns-alt-names sign blramisr195602.XXXXXX.com` to sign this request.[amisr1@bangvmpllDA02 ~]$sudo puppet cert --allow-dns-alt-names sign blramisr195602.XXXXXX.comSigned certificate request for blramisr195602.XXXXXX.comRemoving file Puppet::SSL::CertificateRequest blramisr195602.XXXXXX.com at '/var/lib/puppet/ssl/ca/requests/blramisr195602.XXXXXX.com.pem'

然而,这也无济于事;我和以前一样犯了同样的错误.不知道为什么在日志中它显示了按IP而不是主机名比较访问规则.是否有任何Nginx配置可以改变这种行为？

解决方法 我把它与我们在Nginx上的另一个设置进行了比较;似乎问题是由于属性

ssl_clIEnt_header = SSL_CLIENT_S_Dssl_clIEnt_verify_header = SSL_CLIENT_VERIFY

出现在master的puppet.conf中.从那里评论它们并在Nginx中保留它们的配置解决了问题.

总结

以上是内存溢出为你收集整理的linux – 当master从命令行运行时,puppet master REST API在乘客工作时返回403全部内容，希望文章能够帮你解决linux – 当master从命令行运行时,puppet master REST API在乘客工作时返回403所遇到的程序开发问题。

如果觉得内存溢出网站内容还不错，欢迎将内存溢出网站推荐给程序员好友。