Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2302

puppetserver's simple status endpoint returns 403

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: SERVER 5.3.0
    • Fix Version/s: SERVER 5.3.6, SERVER 6.0.0
    • Component/s: None
    • Labels:
      None
    • Template:
      PUP Bug Template
    • Team:
      Froyo
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      There was a regression in Puppet Server 5.3.0 when we added the ability to wrap the status service within tk-auth. The intention was to default the status service to unauthenticated (in order to maintain compatibility). However, a rule was only written for the "services" endpoint of the status service, not the "simple" endpoint. Consequently access to the simple endpoint was by default forbidden. This adds a rule for the simple endpoint to also be unauthenticated and updates some missing documentation on how users can control access to the status endpoints themselves.
      Show
      There was a regression in Puppet Server 5.3.0 when we added the ability to wrap the status service within tk-auth. The intention was to default the status service to unauthenticated (in order to maintain compatibility). However, a rule was only written for the "services" endpoint of the status service, not the "simple" endpoint. Consequently access to the simple endpoint was by default forbidden. This adds a rule for the simple endpoint to also be unauthenticated and updates some missing documentation on how users can control access to the status endpoints themselves.
    • QA Risk Assessment:
      Needs Assessment

      Description

      The /status/v1/simple REST endpoint was added in puppetserver 2.6.0 as health check for load-balancers. According to https://puppet.com/docs/puppetserver/5.3/status-api/v1/simple.html#authorization the endpoint does not require authorization. But that doesn't appear to be the case:

      # rpm -qa | grep puppet
      puppet-nightly-release-1.0.0-2.el7.noarch
      puppet-agent-5.99.2.231.gf095aac-1.el7.x86_64
      puppetserver-6.0.0.master-0.1SNAPSHOT.2018.08.19T2214.el7.noarch
      # curl -v -k https://xa80twq2t9eur0o.delivery.puppetlabs.net:8140/status/v1/simple
      * About to connect() to xa80twq2t9eur0o.delivery.puppetlabs.net port 8140 (#0)
      *   Trying 10.32.120.108...
      * Connected to xa80twq2t9eur0o.delivery.puppetlabs.net (10.32.120.108) port 8140 (#0)
      * Initializing NSS with certpath: sql:/etc/pki/nssdb
      * skipping SSL peer certificate verification
      * NSS: client certificate not found (nickname not specified)
      * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      * Server certificate:
      * 	subject: CN=xa80twq2t9eur0o.delivery.puppetlabs.net
      * 	start date: Sep 04 20:26:47 2018 GMT
      * 	expire date: Sep 04 20:26:47 2023 GMT
      * 	common name: xa80twq2t9eur0o.delivery.puppetlabs.net
      * 	issuer: CN=Puppet CA: xa80twq2t9eur0o.delivery.puppetlabs.net
      > GET /status/v1/simple HTTP/1.1
      > User-Agent: curl/7.29.0
      > Host: xa80twq2t9eur0o.delivery.puppetlabs.net:8140
      > Accept: */*
      >
      < HTTP/1.1 403 Forbidden
      < Date: Wed, 05 Sep 2018 21:21:27 GMT
      < Content-Length: 91
      < Server: Jetty(9.4.z-SNAPSHOT)
      

      Adding the following to the default auth.conf fixes the issue:

              {
                  # Allow unauthenticated access to the simple status endpoint
                  match-request: {
                      path: "/status/v1/simple"
                      type: path
                      method: get
                  }
                  allow-unauthenticated: true
                  sort-order: 500
                  name: "puppetlabs simple status"
              },
      

      Restart puppetserver, then it works:

      # curl -k https://xa80twq2t9eur0o.delivery.puppetlabs.net:8140/status/v1/simple
      running
      

      Not sure how to handle upgrades though?

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              josh Josh Cooper
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support