3

I am trying to configure puppet-dashboard, and I'm running into an issue with Inventory/facts:

Could not retrieve facts from inventory service: 403 "Forbidden request: puppetmasterhostname(ip.address.was.here) access to /facts/agenthostname.example.com [find] at line 99 "

In /etc/puppet/auth.conf on the puppet master:

path /facts
method find
auth any
allow *

I restarted puppetmaster and puppet-dashboard, but I still get the above error. Any ideas or troubleshooting tips?

UPDATE

I am running puppet v2.7.13. As requested, here is my full /etc/puppet/auth.conf. Most of these are defaults that were already in the config:

# allow nodes to retrieve their own catalog (ie their configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1

# allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1

# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *

# allow all nodes to store their reports
path /report
method save
allow *

# inconditionnally allow access to all files services
# which means in practice that fileserver.conf will
# still be used
path /file
allow *

### Unauthenticated ACL, for clients for which the current master doesn't
### have a valid certificate; we allow authenticated users, too, because
### there isn't a great harm in letting that request through.

# allow access to the master CA
path /certificate/ca
auth any
method find
allow *

path /certificate/
auth any
method find
allow *

path /certificate_request
auth any
method find, save
allow *

# this one is not stricly necessary, but it has the merit
# to show the default policy which is deny everything else
path /
auth any

# Inventory
path /facts
method find
auth any
allow *

/etc/puppet/puppet.conf

[main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet

    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet

    # Where SSL certificates are kept.
    # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl

[agent]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$confdir/classes.txt'.
    classfile = $vardir/classes.txt

    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
    # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig

[master]
   reports = store, http
   reporturl = http://puppetmasterhostname.example.com:3000/reports/upload
   facts_terminus = yaml
   storeconfigs = true
   storeconfigs_backend = puppetdb
   node_terminus = exec
   external_nodes = /usr/bin/env PUPPET_DASHBOARD_URL=http://localhost:3000 /opt/puppet-dashboard/bin/external_node
Banjer
  • 3,854
  • 11
  • 40
  • 47
  • what does the rest of your `auth.conf` look like? what about the `puppet.conf` file? – Tom May 25 '12 at 16:57

4 Answers4

3

I had the same issue and found that line 99 in /etc/puppet/auth.conf corresponded to the following:

# this one is not stricly necessary, but it has the merit
# to show the default policy which is deny everything else
path /
auth any

Commenting out path / and auth any allowed the Dashboard to access inventory using the following config:

path /facts
auth yes
method find, search
allow dashboard

...as taken from http://docs.puppetlabs.com/dashboard/manual/1.2/configuring.html.

namespace.conf and the other paths weren't necessary for me.

user15286
  • 31
  • 2
2

my config has the following... 

path /facts
auth any
allow *

path /fact
auth any
allow *

path /facts_search
allow *

I think also I had to create an empty file called namespaceauth.conf like so; 

touch /etc/puppet/namespaceauth.conf
Tom
  • 10,886
  • 5
  • 39
  • 62
  • I updated `/etc/puppet/auth.conf` on the puppet master to your config and it is working now. Thanks for the help. – Banjer May 29 '12 at 18:46
2

It's an ordering issue - make sure the section:

path /facts
method find
auth any
allow *

is BEFORE the default section:

# this one is not stricly necessary, but it has the merit
# to show the default policy which is deny everything else
path /
auth any

That worked + resolved the issue for me. Or as above, you could just comment it out!

slm
  • 7,355
  • 16
  • 54
  • 72
Dan King
  • 121
  • 2
2

The problem that you are having is two-fold. First, your auth.conf file needs to have the proper access. Many of the solutions mentioned here achieve that but at great risk! By using the following:

path /facts
auth any
allow *

path /fact
auth any
allow *

path /facts_search
allow *

... you are allowing * access

"asterisk" means EVERYONE!!!

To fix this problem, you need auth.conf to have:

path /facts
auth yes
method find, search
allow dashboard

Then you need to create certs for "dashboard" user, just like you do for nodes. On CentOS 6 with puppet-dashboard-1.2.23-1.el6.noarch, these are the steps:

1) ensure that config/settings.yml have the correct hostname and port for your puppetmaster

2) generate your keypair for dashboard:

    sudo -u puppet-dashboard rake cert:create_key_pair

3)generate the cert request for dashboard:

sudo -u puppet-dashboard rake cert:request

4) on the puppetmaster, sign the cert:

    puppet cert sign dashboard

5) get the cert from the puppetmaster

    sudo -u puppet-dashboard rake cert:retrieve

6) restart dashboard

All of this will allow dashboard access to your puppetmaster facts with Certificate authentication.

Enjoy!

Dave Augustus
  • 21
  • 1