puppet-dashboard:无法从库存服务中检索事实

puppet-dashboard:无法从库存服务中检索事实

我正在尝试配置 puppet-dashboard,但遇到了 Inventory/facts 的问题:

Could not retrieve facts from inventory service: 403 "Forbidden request: puppetmasterhostname(ip.address.was.here) access to /facts/agenthostname.example.com [find] at line 99 "

在 Puppet Master 上的 /etc/puppet/auth.conf 中:

path /facts
method find
auth any
allow *

我重新启动了 puppetmaster 和 puppet-dashboard,但仍然出现上述错误。有什么想法或故障排除技巧吗?

更新

我正在运行 puppet v2.7.13。根据要求,这是我的完整 /etc/puppet/auth.conf。其中大部分是配置中已有的默认值:

# allow nodes to retrieve their own catalog (ie their configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1

# allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1

# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *

# allow all nodes to store their reports
path /report
method save
allow *

# inconditionnally allow access to all files services
# which means in practice that fileserver.conf will
# still be used
path /file
allow *

### Unauthenticated ACL, for clients for which the current master doesn't
### have a valid certificate; we allow authenticated users, too, because
### there isn't a great harm in letting that request through.

# allow access to the master CA
path /certificate/ca
auth any
method find
allow *

path /certificate/
auth any
method find
allow *

path /certificate_request
auth any
method find, save
allow *

# this one is not stricly necessary, but it has the merit
# to show the default policy which is deny everything else
path /
auth any

# Inventory
path /facts
method find
auth any
allow *

/etc/puppet/puppet.conf

[main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet

    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet

    # Where SSL certificates are kept.
    # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl

[agent]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$confdir/classes.txt'.
    classfile = $vardir/classes.txt

    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
    # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig

[master]
   reports = store, http
   reporturl = http://puppetmasterhostname.example.com:3000/reports/upload
   facts_terminus = yaml
   storeconfigs = true
   storeconfigs_backend = puppetdb
   node_terminus = exec
   external_nodes = /usr/bin/env PUPPET_DASHBOARD_URL=http://localhost:3000 /opt/puppet-dashboard/bin/external_node

答案1

我的配置如下...

path /facts
auth any
allow *

path /fact
auth any
allow *

path /facts_search
allow *

我认为我还必须创建一个名为namespaceauth.conf这样的空文件;

touch /etc/puppet/namespaceauth.conf

答案2

我遇到了同样的问题,发现第 99 行/etc/puppet/auth.conf对应的内容如下:

# this one is not stricly necessary, but it has the merit
# to show the default policy which is deny everything else
path /
auth any

注释掉path /auth any允许仪表板使用以下配置访问库存:

path /facts
auth yes
method find, search
allow dashboard

...摘自 http://docs.puppetlabs.com/dashboard/manual/1.2/configuring.html

namespace.conf而其他路径对我来说没有必要。

答案3

这是一个顺序问题 - 确保部分:

path /facts
method find
auth any
allow *

在默认部分之前:

# this one is not stricly necessary, but it has the merit
# to show the default policy which is deny everything else
path /
auth any

这对我来说很管用,解决了这个问题。或者像上面一样,你可以直接把它注释掉!

答案4

您遇到的问题有两个方面。首先,您的 auth.conf 文件需要具有适当的访问权限。这里提到的许多解决方案都实现了这一点,但风险很大!使用以下方法:

path /facts
auth any
allow *

path /fact
auth any
allow *

path /facts_search
allow *

...您允许*访问

“星号”表示每个人!!!

要修复此问题,您需要 auth.conf 具有:

path /facts
auth yes
method find, search
allow dashboard

然后,您需要为“dashboard”用户创建证书,就像为节点创建证书一样。在带有 puppet-dashboard-1.2.23-1.el6.noarch 的 CentOS 6 上,步骤如下:

1)确保 config/settings.yml 具有正确的 puppetmaster 主机名和端口

2)为仪表板生成密钥对:

    sudo -u puppet-dashboard rake cert:create_key_pair

3)生成仪表板的证书请求:

sudo -u puppet-dashboard rake cert:request

4)在 Puppetmaster 上签署证书:

    puppet cert sign dashboard

5)从 puppetmaster 获取证书

    sudo -u puppet-dashboard rake cert:retrieve

6)重启仪表板

所有这些都将允许仪表板通过证书认证访问您的 puppetmaster 事实。

享受!

相关内容