Closed acidprime closed 9 years ago
/opt/puppet/bin/puppet --version
3.8.2 (Puppet Enterprise 3.8.2)
/opt/puppet/bin/augtool --version
augtool 1.3.0 <http://augeas.net/>
Copyright (C) 2007-2011 David Lutterkort
License LGPLv2+: GNU LGPL version 2.1 or later
<http://www.gnu.org/licenses/lgpl-2.1.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by David Lutterkort
uname -a
Linux ca.vm 2.6.32-504.8.1.el6.x86_64 #1 SMP Wed Jan 28 21:11:36 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
/opt/puppet/share/augeas/lenses/dist/puppet_auth.aug
(*
Module: Puppet_Auth
Parses /etc/puppet/auth.conf
Author: Raphael Pinson <raphael.pinson@camptocamp.com>
About: Reference
This lens tries to keep as close as possible to `http://docs.puppetlabs.com/guides/rest_auth_conf.html` where possible.
About: License
This file is licenced under the LGPL v2+, like the rest of Augeas.
About: Lens Usage
To be documented
About: Configuration files
This lens applies to /etc/puppet/auth.conf. See <filter>.
About: Examples
The <Test_Puppet_Auth> file contains various examples and tests.
*)
module Puppet_Auth =
autoload xfm
(* View: list
A list of values *)
let list (kw:string) (val:regexp) =
let item = [ seq kw . store val ]
in let comma = del /[ \t]*,[ \t]*/ ", "
in [ Util.indent . key kw . Sep.space
. Build.opt_list item comma . Util.comment_or_eol ]
(* View: auth
An authentication stanza *)
let auth =
[ Util.indent . Build.xchg /auth(enticated)?/ "auth" "auth"
. Sep.space . store /yes|no|on|off|any/ . Util.comment_or_eol ]
(* View: reset_counters *)
let reset_counters =
counter "environment" . counter "method"
. counter "allow" . counter "allow_ip"
(* View: setting *)
let setting = list "environment" Rx.word
| list "method" /find|search|save|destroy/
| list "allow" /[^# \t\n,][^#\n,]*[^# \t\n,]|[^# \t\n,]/
| list "allow_ip" /[A-Za-z0-9.:\/]+/
| auth
(* View: record *)
let record =
let operator = [ label "operator" . store "~" ]
in [ Util.indent . key "path"
. (Sep.space . operator)?
. Sep.space . store /[^~# \t\n][^#\n]*[^# \t\n]|[^~# \t\n]/ . Util.eol
. reset_counters
. (Util.empty | Util.comment | setting)*
. setting ]
(* View: lns *)
let lns = (Util.empty | Util.comment | record)*
(* Variable: filter *)
let filter = (incl "/etc/puppet/auth.conf"
.incl "/usr/local/etc/puppet/auth.conf"
.incl "/etc/puppetlabs/puppet/auth.conf")
let xfm = transform lns filter
Removing the respective entries from the file, results in their creation
path ~ ^/node/([^/]+)$
method find
auth yes
allow $1
path /certificate_revocation_list/ca
method find
auth yes
allow *
path ~ ^/report/([^/]+)$
method save
auth yes
allow $1
path /file
auth yes
allow *
path /certificate/ca
method find
auth any
allow *
path /certificate/
method find
auth any
allow *
path /certificate_request
method find, save
auth any
allow *
path /v2.0/environments
method find
auth yes
allow *
path /resource_type
method find, search
auth yes
allow pe-internal-dashboard, pe-internal-classifier
path /
auth any
#allow * <- here so I could do the puppet run after removal
path ~ ^/catalog/([^/]+)$
method find
allow $1, compile-master-1.vm
auth yes
path /facts
method find, search
allow $1, compile-master-1.vm, pe-internal-dashboard
auth any
So if the entries don't exist, they get created, and if they already exist, they get removed?
They don't actually get removed, they don't get changed at all. The diff shows them as being removed but thats basically showing the opposite of what should be happening. As if we were managing the rules in reverse.
So if they exist, the behavior is OK, but the logs are wrong?
If they exist, they are NOT edited. And the log above is displayed, indicating a diff which on its face appears to show it removing the things it should be adding. The resultant file is basically not touched.
If they don't exist they are added:
Removing the respective entries from the file, results in their creation
path ~ ^/node/([^/]+)$ method find auth yes allow $1
path /certificate_revocation_list/ca method find auth yes allow *
path ~ ^/report/([^/]+)$ method save auth yes allow $1
path /file auth yes allow *
path /certificate/ca method find auth any allow *
path /certificate/ method find auth any allow *
path /certificate_request method find, save auth any allow *
path /v2.0/environments method find auth yes allow *
path /resource_type method find, search auth yes allow pe-internal-dashboard, pe-internal-classifier
path / auth any
allow * <- here so I could do the puppet run after removal
path ~ ^/catalog/([^/]+)$ method find allow $1, compile-master-1.vm auth yes path /facts method find, search allow $1, compile-master-1.vm, pe-internal-dashboard auth any
It'd be really great if you could provide a failing unit test for this.
@acidprime just reading your issue again:
Notice: /Stage[main]/Catalog_diff/Puppet_auth[allow the diff server to retrieve any catalog]/allow: allow changed ['$1'] to '$1 compile-master-1.vm'
Notice: /Stage[main]/Catalog_diff/Puppet_auth[allow the diff server to query facts]/allow: allow changed ['pe-internal-dashboard'] to '$1 compile-master-1.vm pe-internal-dashboard'
Notice: /Stage[main]/Puppet_enterprise::Profile::Master::Auth_conf/File[/etc/puppetlabs/puppet/auth.conf]/content:
Your Puppet_enterprise::Profile::Master::Auth_conf
class manages the file in its entirety with a content
parameter, which is why the diff is "reversed" when you apply. It's just a resource collision.
@raphink heh, good catch
Given the following auth.conf
With the following puppet code
Causes the no changes and results in a rather strange diff