我正在尝试配置 puppet-dashboard,但我遇到了库存/事实问题:
Could not retrieve facts from inventory service: 403 "Forbidden request: puppetmasterhostname(ip.address.was.here) access to /facts/agenthostname.example.com [find] at line 99 "
在 puppet master 的 /etc/puppet/auth.conf 中:
path /facts
method find
auth any
allow *
我重新启动了 puppetmaster 和 puppet-dashboard,但仍然出现上述错误。任何想法或故障排除技巧?
更新
我正在运行木偶 v2.7.13。根据要求,这是我的完整 /etc/puppet/auth.conf。其中大部分是配置中已有的默认值:
# allow nodes to retrieve their own catalog (ie their configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1
# allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1
# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *
# allow all nodes to store their reports
path /report
method save
allow *
# inconditionnally allow access to all files services
# which means in practice that fileserver.conf will
# still be used
path /file
allow *
### Unauthenticated ACL, for clients for which the current master doesn't
### have a valid certificate; we allow authenticated users, too, because
### there isn't a great harm in letting that request through.
# allow access to the master CA
path /certificate/ca
auth any
method find
allow *
path /certificate/
auth any
method find
allow *
path /certificate_request
auth any
method find, save
allow *
# this one is not stricly necessary, but it has the merit
# to show the default policy which is deny everything else
path /
auth any
# Inventory
path /facts
method find
auth any
allow *
/etc/puppet/puppet.conf
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
[master]
reports = store, http
reporturl = http://puppetmasterhostname.example.com:3000/reports/upload
facts_terminus = yaml
storeconfigs = true
storeconfigs_backend = puppetdb
node_terminus = exec
external_nodes = /usr/bin/env PUPPET_DASHBOARD_URL=http://localhost:3000 /opt/puppet-dashboard/bin/external_node
我遇到了同样的问题,发现第 99 行
/etc/puppet/auth.conf对应于以下内容:注释掉
path /并auth any允许仪表板使用以下配置访问库存:...取自 http://docs.puppetlabs.com/dashboard/manual/1.2/configuring.html。
namespace.conf其他路径对我来说不是必需的。我的配置有以下...
我想我还必须创建一个
namespaceauth.conf像这样调用的空文件;这是一个订购问题 - 确保该部分:
在默认部分之前:
这对我有用+解决了这个问题。或者像上面一样,你可以把它注释掉!
您遇到的问题有两个方面。首先,您的 auth.conf 文件需要具有适当的访问权限。这里提到的许多解决方案都实现了这一点,但风险很大!通过使用以下内容:
...您允许 * 访问
“星号”表示所有人!!!
要解决此问题,您需要 auth.conf 具有:
然后您需要为“仪表板”用户创建证书,就像您为节点所做的那样。在带有 puppet-dashboard-1.2.23-1.el6.noarch 的 CentOS 6 上,这些是步骤:
1) 确保 config/settings.yml 为您的 puppetmaster 提供正确的主机名和端口
2)为仪表板生成密钥对:
3)为仪表板生成证书请求:
4) 在 puppetmaster 上,签署证书:
5)从木偶大师那里获得证书
6)重启仪表板
所有这些都将允许仪表板通过证书身份验证访问您的 puppetmaster 事实。
享受!