Actions
Architecture #6353
closedGenerate access rules based on public keys
Added by Benoît PECCATTE over 9 years ago. Updated almost 8 years ago.
Status:
Released
Priority:
N/A
Assignee:
Category:
Web - Config management
Target version:
Fix check:
Regression:
Description
Generate access rules to access /var/rudder/share-secued based on public keys for cf-serverd
Updated by Benoît PECCATTE over 9 years ago
- Category changed from 14 to Web - Config management
Updated by Vincent MEMBRÉ over 9 years ago
- Target version changed from 3.1.0~beta1 to 3.1.0~rc1
Updated by Vincent MEMBRÉ over 9 years ago
- Target version changed from 3.1.0~rc1 to 3.1.0
Updated by Vincent MEMBRÉ over 9 years ago
- Target version changed from 3.1.0 to 3.1.1
Updated by Vincent MEMBRÉ over 9 years ago
- Target version changed from 3.1.1 to 3.1.2
Updated by Jonathan CLARKE over 9 years ago
- Target version changed from 3.1.2 to 3.2.0~beta1
Updated by Vincent MEMBRÉ almost 9 years ago
- Target version changed from 3.2.0~beta1 to 3.2.0~rc1
Updated by Benoît PECCATTE almost 9 years ago
- Target version changed from 3.2.0~rc1 to 3.2.0~rc2
Updated by Benoît PECCATTE almost 9 years ago
- Target version changed from 3.2.0~rc2 to 3.2.0
Updated by Vincent MEMBRÉ almost 9 years ago
- Target version changed from 3.2.0 to 3.2.1
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 3.2.1 to 3.2.2
Updated by Alexis Mousset over 8 years ago
- Target version changed from 3.2.2 to 4.0.0~rc2
Updated by Alexis Mousset over 8 years ago
"/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/" admit => { host2ip("toto.rudder.local"), string_downcase(escape("toto.rudder.local")) }, admit_keys => {"MD5=af41e716d3a43ceb7ce6c55cf30111ab"};
Gives :
2016-03-15T13:27:40+0000 debug: select(): 1 2016-03-15T13:27:40+0000 debug: Checking file updates for input file '/var/rudder/cfengine-community/inputs/promises.cf' 2016-03-15T13:27:40+0000 debug: No new promises found 2016-03-15T13:27:40+0000 debug: Socket descriptor returned from accept(): 7 2016-03-15T13:27:40+0000 verbose: Obtained IP address of '192.168.41.3' on socket 7 from accept 2016-03-15T13:27:40+0000 debug: Purging Old Connections... 2016-03-15T13:27:40+0000 debug: Done purging old connections 2016-03-15T13:27:40+0000 verbose: New connection (from 192.168.41.3, sd 7), spawning new thread... 2016-03-15T13:27:40+0000 debug: Waiting at incoming select... 2016-03-15T13:27:40+0000 info: 192.168.41.3> Accepting connection 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Setting socket timeout to 600 seconds. 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Peeked CAUTH in TCP stream, considering the protocol as Classic 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Peeked data: t 43....CAUTH 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 43.... 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: CAUTH 192.168.41.3 toto.rudder.local root 0 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Connecting host identifies itself as '192.168.41.3 toto.rudder.local root 0' 2016-03-15T13:27:40+0000 debug: 192.168.41.3> (ipstring=[192.168.41.3],fqname=[toto.rudder.local],username=[root],socket=[192.168.41.3]) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 280... 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: SAUTH y 256 37 c.oot....G.......;.q..K.N.u.tB.4#..C.#..[......xLx.:.]b.>..-..R.'..>..P...{..m5-...&Y....W{....sZ<K.n....v..........z:.$....Z..s...........S../...<..}.ahY...U`.Z`A.......*..7#.[.....ZV.c......d.."...M#+\.....,U............%.9..a.....ZT.||f.F~K.d...k.t9..*`..^....>. 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Challenge encryption = y, challenge_len = 37, crypt_len = 256 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 261... 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: ........{.,.o..k...,......>8..&p.ID.GJ..J...j.V.y.....k.\..ZL?C"U.d.&S.v.c.D.P)-m/.R.j....."4U..3~.......r...).Nkt...d...C..d....*.v..5.!P.. Y...I...l...T.;..N.V...../+I.w.A....D!.K...V).>...8....^....tl...K0o}.u..)..o*.oOv ..cgC.Z;..&s...z+|P?vm..r~h..g.....A. 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 5..... 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: ....# 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Peer's identity is: MD5=af41e716d3a43ceb7ce6c55cf30111ab 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> A public key was already known from toto.rudder.local/192.168.41.3 - no trust required 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> The public key identity was confirmed as root@toto.rudder.local 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 16 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: OK: key accepted 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Sending challenge response 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 16 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: .x..8.9.Y.n~.j.n 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Sending counter-challenge 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 256 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: }4.3..,.p.......k.j....~.uv~R..J{.i.*R..`p....d.V..=...k...|.!......... ..G..{>....L.Mj.........|....ab..+...6F...Z..Z G.A.s._.....6..... ..z.R<vp75.$.]F.Si+#.Z....t6.........u<.1....b.....S^,.TQ.)e.DBg..J...[..#...z.H..I..s..x.f.H1^&u..Z...Y....;6Y..B.... 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 16.... 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: ..0c.^.4Bh.....i 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Authentication of client toto.rudder.local/192.168.41.3 achieved 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Receiving session key from client... 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 256... 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: z.?......Z..6Xx.2..*..}...~........1..Si...UP*s^~..&B..g..,..=....w.....jh.]....x.H.!8.,Pu...^...t..8... ......Y.hA..L...........u......v....c.....3.P8...=.D.9$.c..;wU....;j.....#..q.......5..8...''..l..JT)oas..>#..E............=N..2.....a....NE."E.....W.. 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Received encrypted session key of 256 bytes, should decrypt to 16 bytes 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 152... 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: SSYNCH 136..........Z.#IC...zC$L\.Y...e....?>U.=..s......;..z....W<n..;n.:.cjGQU?-[...KP...~.u[Uy.4..j..1.....H.#.:......k...`..w:...3.ZQ....@...zk.qF*. 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Filename /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated is resolved to /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated 2016-03-15T13:27:40+0000 debug: 192.168.41.3> AccessControl, match (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,toto.rudder.local) encrypt request = 1 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/var/rudder/cfengine-community/masterfiles) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/var/rudder/tools) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/usr/share/ncf/tree) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/var/rudder/configuration-repository/ncf) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/var/rudder/configuration-repository/shared-files) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a) 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Found a matching rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated in /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Checking whether to map root privileges.. 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Access granted to host: 192.168.41.3 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Host toto.rudder.local granted access to /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Clocks were off by 0 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Getting size of link deref '' 2016-03-15T13:27:40+0000 debug: 192.168.41.3> OK: type = 0, mode = 600, lmode = 0, uid = 0, gid = 0, size = 14, atime=1458040196, mtime = 1458040171 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 71 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: OK: 0 384 0 0 0 14 1458040196 1458040171 1458040173 0 202287091 1 64768 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 3 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: OK: 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 144... 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: SMD5 128........t.7...K...8.u.*.........=.l8.....'\...e.J.7.....?..f.Sz,........:z.DD......L..Qp.-..#.qp3a.........&!S.6 .3....^...d..g....V.... 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Filename /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated is resolved to /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated 2016-03-15T13:27:40+0000 debug: 192.168.41.3> AccessControl, match (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,toto.rudder.local) encrypt request = 1 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/var/rudder/cfengine-community/masterfiles) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/var/rudder/tools) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/usr/share/ncf/tree) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/var/rudder/configuration-repository/ncf) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/var/rudder/configuration-repository/shared-files) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a) 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Found a matching rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated in /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Checking whether to map root privileges.. 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Access granted to host: 192.168.41.3 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Host toto.rudder.local granted access to /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Hashes matched ok 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 9 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: CFD_FALSE 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 80.... 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: SSYNCH 64.r/shar....Z.#IC...zC$L.X...TG.......#.T..b........C..@..m.M.../. O..z* 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Filename /usr/share/ncf/tree/ncf_hash_file is resolved to /usr/share/ncf/tree/ncf_hash_file 2016-03-15T13:27:40+0000 debug: 192.168.41.3> AccessControl, match (/usr/share/ncf/tree/ncf_hash_file,toto.rudder.local) encrypt request = 1 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/usr/share/ncf/tree/ncf_hash_file,/var/rudder/cfengine-community/masterfiles) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/usr/share/ncf/tree/ncf_hash_file,/var/rudder/tools) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/usr/share/ncf/tree/ncf_hash_file,/usr/share/ncf/tree) 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Found a matching rule in access list (/usr/share/ncf/tree/ncf_hash_file in /usr/share/ncf/tree) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Checking whether to map root privileges.. 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Mapping root privileges to access non-root files 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Access granted to host: 192.168.41.3 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Host toto.rudder.local granted access to /usr/share/ncf/tree/ncf_hash_file 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Clocks were off by 0 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Getting size of link deref '' 2016-03-15T13:27:40+0000 debug: 192.168.41.3> OK: type = 0, mode = 600, lmode = 0, uid = 0, gid = 0, size = 44, atime=1458036333, mtime = 1457949664 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 69 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: OK: 0 384 0 0 0 44 1458036333 1457949664 1457949664 0 2068413 1 64768 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 3 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: OK: 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 72.... 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: SMD5 56.........S...GF....8.z*.l..xrp.....)P..S...c.. g....2&...&.....AA 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Filename /usr/share/ncf/tree/ncf_hash_file is resolved to /usr/share/ncf/tree/ncf_hash_file 2016-03-15T13:27:40+0000 debug: 192.168.41.3> AccessControl, match (/usr/share/ncf/tree/ncf_hash_file,toto.rudder.local) encrypt request = 1 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/usr/share/ncf/tree/ncf_hash_file,/var/rudder/cfengine-community/masterfiles) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/usr/share/ncf/tree/ncf_hash_file,/var/rudder/tools) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/usr/share/ncf/tree/ncf_hash_file,/usr/share/ncf/tree) 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Found a matching rule in access list (/usr/share/ncf/tree/ncf_hash_file in /usr/share/ncf/tree) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Checking whether to map root privileges.. 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Mapping root privileges to access non-root files 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Access granted to host: 192.168.41.3 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Host toto.rudder.local granted access to /usr/share/ncf/tree/ncf_hash_file 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Hashes matched ok 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 9 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: CFD_FALSE 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 96.... 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: SSYNCH 80./ncf/t....Z.#IC...zC$L\.Y...e....?>U.=T.+..-_...6.....8.......v.1....W*...@I....G..`8. 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Filename /var/rudder/configuration-repository/ncf/ncf_hash_file is resolved to /var/rudder/configuration-repository/ncf/ncf_hash_file 2016-03-15T13:27:40+0000 debug: 192.168.41.3> AccessControl, match (/var/rudder/configuration-repository/ncf/ncf_hash_file,toto.rudder.local) encrypt request = 1 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/configuration-repository/ncf/ncf_hash_file,/var/rudder/cfengine-community/masterfiles) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/configuration-repository/ncf/ncf_hash_file,/var/rudder/tools) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/configuration-repository/ncf/ncf_hash_file,/usr/share/ncf/tree) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/configuration-repository/ncf/ncf_hash_file,/var/rudder/configuration-repository/ncf) 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Found a matching rule in access list (/var/rudder/configuration-repository/ncf/ncf_hash_file in /var/rudder/configuration-repository/ncf) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Checking whether to map root privileges.. 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Mapping root privileges to access non-root files 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Access granted to host: 192.168.41.3 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Host toto.rudder.local granted access to /var/rudder/configuration-repository/ncf/ncf_hash_file 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Clocks were off by 0 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Getting size of link deref '' 2016-03-15T13:27:40+0000 debug: 192.168.41.3> OK: type = 0, mode = 600, lmode = 0, uid = 0, gid = 991, size = 44, atime=1458036333, mtime = 1457949664 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 73 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: OK: 0 384 0 0 991 44 1458036333 1457949664 1457949664 0 135398130 1 64768 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 3 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: OK: 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 96.... 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: SMD5 80.........t.7...K...8.u.*..C..>..s.f.....-Z.......Wq_,.j....\b..&...VNy..b...........P..q. 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Filename /var/rudder/configuration-repository/ncf/ncf_hash_file is resolved to /var/rudder/configuration-repository/ncf/ncf_hash_file 2016-03-15T13:27:40+0000 debug: 192.168.41.3> AccessControl, match (/var/rudder/configuration-repository/ncf/ncf_hash_file,toto.rudder.local) encrypt request = 1 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/configuration-repository/ncf/ncf_hash_file,/var/rudder/cfengine-community/masterfiles) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/configuration-repository/ncf/ncf_hash_file,/var/rudder/tools) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/configuration-repository/ncf/ncf_hash_file,/usr/share/ncf/tree) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/configuration-repository/ncf/ncf_hash_file,/var/rudder/configuration-repository/ncf) 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Found a matching rule in access list (/var/rudder/configuration-repository/ncf/ncf_hash_file in /var/rudder/configuration-repository/ncf) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Checking whether to map root privileges.. 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Mapping root privileges to access non-root files 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Access granted to host: 192.168.41.3 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Host toto.rudder.local granted access to /var/rudder/configuration-repository/ncf/ncf_hash_file 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Hashes matched ok 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 9 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: CFD_FALSE 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 60.... 2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: SYNCH 1458048460 STAT /var/rudder/tools/rudder_tools_updated 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Filename /var/rudder/tools/rudder_tools_updated is resolved to /var/rudder/tools/rudder_tools_updated 2016-03-15T13:27:40+0000 debug: 192.168.41.3> AccessControl, match (/var/rudder/tools/rudder_tools_updated,toto.rudder.local) encrypt request = 1 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/tools/rudder_tools_updated,/var/rudder/cfengine-community/masterfiles) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/tools/rudder_tools_updated,/var/rudder/tools) 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Found a matching rule in access list (/var/rudder/tools/rudder_tools_updated in /var/rudder/tools) 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Checking whether to map root privileges.. 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Mapping root privileges to access non-root files 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Access granted to host: 192.168.41.3 2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Host toto.rudder.local granted access to /var/rudder/tools/rudder_tools_updated 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Clocks were off by 0 2016-03-15T13:27:40+0000 debug: 192.168.41.3> Getting size of link deref '' 2016-03-15T13:27:40+0000 debug: 192.168.41.3> OK: type = 0, mode = 600, lmode = 0, uid = 0, gid = 0, size = 25, atime=1458040196, mtime = 1457949664 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 71 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: OK: 0 384 0 0 0 25 1458040196 1457949664 1457949664 0 135626959 1 64768 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 3 2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: OK: 2016-03-15T13:27:40+0000 info: 192.168.41.3> Closed connection, terminating thread ---- 2016-03-15T13:28:33+0000 debug: select(): 1 2016-03-15T13:28:33+0000 debug: Checking file updates for input file '/var/rudder/cfengine-community/inputs/promises.cf' 2016-03-15T13:28:33+0000 debug: No new promises found 2016-03-15T13:28:33+0000 debug: Socket descriptor returned from accept(): 7 2016-03-15T13:28:33+0000 verbose: Obtained IP address of '192.168.41.3' on socket 7 from accept 2016-03-15T13:28:33+0000 debug: Purging Old Connections... 2016-03-15T13:28:33+0000 debug: Done purging old connections 2016-03-15T13:28:33+0000 verbose: New connection (from 192.168.41.3, sd 7), spawning new thread... 2016-03-15T13:28:33+0000 debug: Waiting at incoming select... 2016-03-15T13:28:33+0000 info: 192.168.41.3> Accepting connection 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Setting socket timeout to 600 seconds. 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Peeked nothing important in TCP stream, considering the protocol as TLS 2016-03-15T13:28:33+0000 debug: 192.168.41.3> Peeked data: ...........V.. 2016-03-15T13:28:33+0000 debug: 192.168.41.3> TLSVerifyCallback: no ssl->peer_cert 2016-03-15T13:28:33+0000 debug: 192.168.41.3> TLSVerifyCallback: no conn_info->key 2016-03-15T13:28:33+0000 debug: 192.168.41.3> This must be the initial TLS handshake, accepting 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> TLS cipher negotiated: AES256-GCM-SHA384, TLSv1/SSLv3 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> TLS session established, checking trust... 2016-03-15T13:28:33+0000 debug: 192.168.41.3> TLSRecvLines(): CFE_v2 cf-agent 3.6.5. 2016-03-15T13:28:33+0000 debug: 192.168.41.3> TLSRecvLines(): IDENTITY USERNAME=root. 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Setting IDENTITY: USERNAME=root 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Received public key compares equal to the one we have stored 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> MD5=af41e716d3a43ceb7ce6c55cf30111ab: Client is TRUSTED, public key MATCHES stored one. 2016-03-15T13:28:33+0000 info: 192.168.41.3> Hostname (reverse looked up): agent3.rudder.local 2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction header: t 127... 2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction data: SYNCH 1458048513 STAT /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Received: STAT /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Translated to: STAT /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated 2016-03-15T13:28:33+0000 debug: 192.168.41.3> Admit key due to rule: MD5=af41e716d3a43ceb7ce6c55cf30111ab 2016-03-15T13:28:33+0000 debug: 192.168.41.3> acl_CheckPath: '/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated' found in ACL entry '/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/', admit=true 2016-03-15T13:28:33+0000 debug: 192.168.41.3> Clocks were off by 0 2016-03-15T13:28:33+0000 debug: 192.168.41.3> Getting size of link deref '' 2016-03-15T13:28:33+0000 debug: 192.168.41.3> OK: type = 0, mode = 600, lmode = 0, uid = 0, gid = 0, size = 14, atime=1458040196, mtime = 1458040171 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 71 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: OK: 0 384 0 0 0 14 1458040196 1458040171 1458040173 0 202287091 1 64768 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 3 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: OK: 2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction header: t 127... 2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction data: MD5 /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated..=.+..G.2.....s.x 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Received: MD5 /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Translated to: MD5 /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated 2016-03-15T13:28:33+0000 debug: 192.168.41.3> Admit key due to rule: MD5=af41e716d3a43ceb7ce6c55cf30111ab 2016-03-15T13:28:33+0000 debug: 192.168.41.3> acl_CheckPath: '/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated' found in ACL entry '/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/', admit=true 2016-03-15T13:28:33+0000 debug: 192.168.41.3> Hashes matched ok 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 9 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: CFD_FALSE 2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction header: t 55.... 2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction data: SYNCH 1458048513 STAT /usr/share/ncf/tree/ncf_hash_file 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Received: STAT /usr/share/ncf/tree/ncf_hash_file 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Translated to: STAT /usr/share/ncf/tree/ncf_hash_file 2016-03-15T13:28:33+0000 debug: 192.168.41.3> Admit IP due to rule: 192.168.41.0/24 2016-03-15T13:28:33+0000 debug: 192.168.41.3> acl_CheckPath: '/usr/share/ncf/tree/ncf_hash_file' found in ACL entry '/usr/share/ncf/tree/', admit=true 2016-03-15T13:28:33+0000 debug: 192.168.41.3> Clocks were off by 0 2016-03-15T13:28:33+0000 debug: 192.168.41.3> Getting size of link deref '' 2016-03-15T13:28:33+0000 debug: 192.168.41.3> OK: type = 0, mode = 600, lmode = 0, uid = 0, gid = 0, size = 44, atime=1458036333, mtime = 1457949664 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 69 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: OK: 0 384 0 0 0 44 1458036333 1457949664 1457949664 0 2068413 1 64768 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 3 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: OK: 2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction header: t 55.... 2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction data: MD5 /usr/share/ncf/tree/ncf_hash_file.2X>.O;T...(...h.. 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Received: MD5 /usr/share/ncf/tree/ncf_hash_file 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Translated to: MD5 /usr/share/ncf/tree/ncf_hash_file 2016-03-15T13:28:33+0000 debug: 192.168.41.3> Admit IP due to rule: 192.168.41.0/24 2016-03-15T13:28:33+0000 debug: 192.168.41.3> acl_CheckPath: '/usr/share/ncf/tree/ncf_hash_file' found in ACL entry '/usr/share/ncf/tree/', admit=true 2016-03-15T13:28:33+0000 debug: 192.168.41.3> Hashes matched ok 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 9 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: CFD_FALSE 2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction header: t 76.... 2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction data: SYNCH 1458048513 STAT /var/rudder/configuration-repository/ncf/ncf_hash_file 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Received: STAT /var/rudder/configuration-repository/ncf/ncf_hash_file 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Translated to: STAT /var/rudder/configuration-repository/ncf/ncf_hash_file 2016-03-15T13:28:33+0000 debug: 192.168.41.3> Admit IP due to rule: 192.168.41.0/24 2016-03-15T13:28:33+0000 debug: 192.168.41.3> acl_CheckPath: '/var/rudder/configuration-repository/ncf/ncf_hash_file' found in ACL entry '/var/rudder/configuration-repository/ncf/', admit=true 2016-03-15T13:28:33+0000 debug: 192.168.41.3> Clocks were off by 0 2016-03-15T13:28:33+0000 debug: 192.168.41.3> Getting size of link deref '' 2016-03-15T13:28:33+0000 debug: 192.168.41.3> OK: type = 0, mode = 600, lmode = 0, uid = 0, gid = 991, size = 44, atime=1458036333, mtime = 1457949664 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 73 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: OK: 0 384 0 0 991 44 1458036333 1457949664 1457949664 0 135398130 1 64768 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 3 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: OK: 2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction header: t 76.... 2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction data: MD5 /var/rudder/configuration-repository/ncf/ncf_hash_file.r.Y....'e.oB.5... 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Received: MD5 /var/rudder/configuration-repository/ncf/ncf_hash_file 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Translated to: MD5 /var/rudder/configuration-repository/ncf/ncf_hash_file 2016-03-15T13:28:33+0000 debug: 192.168.41.3> Admit IP due to rule: 192.168.41.0/24 2016-03-15T13:28:33+0000 debug: 192.168.41.3> acl_CheckPath: '/var/rudder/configuration-repository/ncf/ncf_hash_file' found in ACL entry '/var/rudder/configuration-repository/ncf/', admit=true 2016-03-15T13:28:33+0000 debug: 192.168.41.3> Hashes matched ok 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 9 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: CFD_FALSE 2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction header: t 60.... 2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction data: SYNCH 1458048513 STAT /var/rudder/tools/rudder_tools_updated 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Received: STAT /var/rudder/tools/rudder_tools_updated 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Translated to: STAT /var/rudder/tools/rudder_tools_updated 2016-03-15T13:28:33+0000 debug: 192.168.41.3> Admit IP due to rule: 192.168.41.0/24 2016-03-15T13:28:33+0000 debug: 192.168.41.3> acl_CheckPath: '/var/rudder/tools/rudder_tools_updated' found in ACL entry '/var/rudder/tools/', admit=true 2016-03-15T13:28:33+0000 debug: 192.168.41.3> Clocks were off by 0 2016-03-15T13:28:33+0000 debug: 192.168.41.3> Getting size of link deref '' 2016-03-15T13:28:33+0000 debug: 192.168.41.3> OK: type = 0, mode = 600, lmode = 0, uid = 0, gid = 0, size = 25, atime=1458040196, mtime = 1457949664 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 71 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: OK: 0 384 0 0 0 25 1458040196 1457949664 1457949664 0 135626959 1 64768 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 3 2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: OK: 2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Remote peer terminated TLS session 2016-03-15T13:28:33+0000 info: 192.168.41.3> Closed connection, terminating thread
Updated by Nicolas CHARLES about 8 years ago
we can use both old and new protocol for access rules
Updated by Benoît PECCATTE about 8 years ago
And we have to, to support older agents.
Since acl are OR based ( !!! ) it will make transition easy.
Updated by Nicolas CHARLES about 8 years ago
- Status changed from New to Pending technical review
- Assignee set to Benoît PECCATTE
- Pull Request set to https://github.com/Normation/rudder-techniques/pull/1052
Updated by Benoît PECCATTE about 8 years ago
- Related to Architecture #6351: Agent recent enough should use their key to authenticate added
Updated by Nicolas CHARLES about 8 years ago
- Status changed from Pending technical review to Pending release
- % Done changed from 0 to 100
Applied in changeset rudder-techniques|6cbd1cb448c29f983138060700c8554505b1de00.
Updated by Benoît PECCATTE about 8 years ago
- Target version changed from 4.0.0~rc2 to 318
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 318 to 4.0.0~rc2
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 4.0.0~rc2 to 4.0.0~rc1
Updated by Alexis Mousset about 8 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 4.0.0 which was released the 10th November 2016.
Updated by Alexis Mousset over 7 years ago
- Has duplicate User story #7835: Enable TLS for file copy between server and agent added
Actions