[SERVER-2302] puppetserver's simple status endpoint returns 403 - Puppet Jira Server

XML

Word

Printable

Release Notes:
Bug Fix
Release Notes Summary:

Hide
There was a regression in Puppet Server 5.3.0 when we added the ability to wrap the status service within tk-auth. The intention was to default the status service to unauthenticated (in order to maintain compatibility). However, a rule was only written for the "services" endpoint of the status service, not the "simple" endpoint. Consequently access to the simple endpoint was by default forbidden. This adds a rule for the simple endpoint to also be unauthenticated and updates some missing documentation on how users can control access to the status endpoints themselves.

Show
There was a regression in Puppet Server 5.3.0 when we added the ability to wrap the status service within tk-auth. The intention was to default the status service to unauthenticated (in order to maintain compatibility). However, a rule was only written for the "services" endpoint of the status service, not the "simple" endpoint. Consequently access to the simple endpoint was by default forbidden. This adds a rule for the simple endpoint to also be unauthenticated and updates some missing documentation on how users can control access to the status endpoints themselves.

The /status/v1/simple REST endpoint was added in puppetserver 2.6.0 as health check for load-balancers. According to https://puppet.com/docs/puppetserver/5.3/status-api/v1/simple.html#authorization the endpoint does not require authorization. But that doesn't appear to be the case:

# rpm -qa | grep puppet

puppet-nightly-release-1.0.0-2.el7.noarch

puppet-agent-5.99.2.231.gf095aac-1.el7.x86_64

puppetserver-6.0.0.master-0.1SNAPSHOT.2018.08.19T2214.el7.noarch

# curl -v -k https://xa80twq2t9eur0o.delivery.puppetlabs.net:8140/status/v1/simple

* About to connect() to xa80twq2t9eur0o.delivery.puppetlabs.net port 8140 (#0)

*   Trying 10.32.120.108...

* Connected to xa80twq2t9eur0o.delivery.puppetlabs.net (10.32.120.108) port 8140 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

* skipping SSL peer certificate verification

* NSS: client certificate not found (nickname not specified)

* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

* Server certificate:

* 	subject: CN=xa80twq2t9eur0o.delivery.puppetlabs.net

* 	start date: Sep 04 20:26:47 2018 GMT

* 	expire date: Sep 04 20:26:47 2023 GMT

* 	common name: xa80twq2t9eur0o.delivery.puppetlabs.net

* 	issuer: CN=Puppet CA: xa80twq2t9eur0o.delivery.puppetlabs.net

> GET /status/v1/simple HTTP/1.1

> User-Agent: curl/7.29.0

> Host: xa80twq2t9eur0o.delivery.puppetlabs.net:8140

> Accept: */*

< HTTP/1.1 403 Forbidden

< Date: Wed, 05 Sep 2018 21:21:27 GMT

< Content-Length: 91

< Server: Jetty(9.4.z-SNAPSHOT)

Adding the following to the default auth.conf fixes the issue:

            # Allow unauthenticated access to the simple status endpoint

            match-request: {

                path: "/status/v1/simple"

                type: path

                method: get

            allow-unauthenticated: true

            sort-order: 500

            name: "puppetlabs simple status"

},

Restart puppetserver, then it works:

# curl -k https://xa80twq2t9eur0o.delivery.puppetlabs.net:8140/status/v1/simple

running

Not sure how to handle upgrades though?

blocks

PUP-8967 Use status endpoint to determine if puppetserver is reachable