Actions
Architecture #6353
closed
Generate access rules based on public keys
Status:
Released
Priority:
N/A
Assignee:
Category:
Web - Config management
Target version:
Fix check:
Regression:
Description
Generate access rules to access /var/rudder/share-secued based on public keys for cf-serverd
Updated by Benoît PECCATTE about 9 years ago
- Category changed from 14 to Web - Config management
Updated by Vincent MEMBRÉ almost 9 years ago
- Target version changed from 3.1.0~beta1 to 3.1.0~rc1
Updated by Vincent MEMBRÉ almost 9 years ago
- Target version changed from 3.1.0~rc1 to 3.1.0
Updated by Vincent MEMBRÉ almost 9 years ago
- Target version changed from 3.1.0 to 3.1.1
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 3.1.1 to 3.1.2
Updated by Jonathan CLARKE over 8 years ago
- Target version changed from 3.1.2 to 3.2.0~beta1
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 3.2.0~beta1 to 3.2.0~rc1
Updated by Benoît PECCATTE over 8 years ago
- Target version changed from 3.2.0~rc1 to 3.2.0~rc2
Updated by Benoît PECCATTE over 8 years ago
- Target version changed from 3.2.0~rc2 to 3.2.0
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 3.2.0 to 3.2.1
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 3.2.1 to 3.2.2
Updated by Alexis Mousset about 8 years ago
- Target version changed from 3.2.2 to 4.0.0~rc2
Updated by Alexis Mousset about 8 years ago
"/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/"
admit => { host2ip("toto.rudder.local"), string_downcase(escape("toto.rudder.local")) },
admit_keys => {"MD5=af41e716d3a43ceb7ce6c55cf30111ab"};
Gives :
2016-03-15T13:27:40+0000 debug: select(): 1
2016-03-15T13:27:40+0000 debug: Checking file updates for input file '/var/rudder/cfengine-community/inputs/promises.cf'
2016-03-15T13:27:40+0000 debug: No new promises found
2016-03-15T13:27:40+0000 debug: Socket descriptor returned from accept(): 7
2016-03-15T13:27:40+0000 verbose: Obtained IP address of '192.168.41.3' on socket 7 from accept
2016-03-15T13:27:40+0000 debug: Purging Old Connections...
2016-03-15T13:27:40+0000 debug: Done purging old connections
2016-03-15T13:27:40+0000 verbose: New connection (from 192.168.41.3, sd 7), spawning new thread...
2016-03-15T13:27:40+0000 debug: Waiting at incoming select...
2016-03-15T13:27:40+0000 info: 192.168.41.3> Accepting connection
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Setting socket timeout to 600 seconds.
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Peeked CAUTH in TCP stream, considering the protocol as Classic
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Peeked data: t 43....CAUTH
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 43....
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: CAUTH 192.168.41.3 toto.rudder.local root 0
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Connecting host identifies itself as '192.168.41.3 toto.rudder.local root 0'
2016-03-15T13:27:40+0000 debug: 192.168.41.3> (ipstring=[192.168.41.3],fqname=[toto.rudder.local],username=[root],socket=[192.168.41.3])
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 280...
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: SAUTH y 256 37 c.oot....G.......;.q..K.N.u.tB.4#..C.#..[......xLx.:.]b.>..-..R.'..>..P...{..m5-...&Y....W{....sZ<K.n....v..........z:.$....Z..s...........S../...<..}.ahY...U`.Z`A.......*..7#.[.....ZV.c......d.."...M#+\.....,U............%.9..a.....ZT.||f.F~K.d...k.t9..*`..^....>.
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Challenge encryption = y, challenge_len = 37, crypt_len = 256
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 261...
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: ........{.,.o..k...,......>8..&p.ID.GJ..J...j.V.y.....k.\..ZL?C"U.d.&S.v.c.D.P)-m/.R.j....."4U..3~.......r...).Nkt...d...C..d....*.v..5.!P.. Y...I...l...T.;..N.V...../+I.w.A....D!.K...V).>...8....^....tl...K0o}.u..)..o*.oOv ..cgC.Z;..&s...z+|P?vm..r~h..g.....A.
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 5.....
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: ....#
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Peer's identity is: MD5=af41e716d3a43ceb7ce6c55cf30111ab
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> A public key was already known from toto.rudder.local/192.168.41.3 - no trust required
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> The public key identity was confirmed as root@toto.rudder.local
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 16
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: OK: key accepted
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Sending challenge response
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 16
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: .x..8.9.Y.n~.j.n
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Sending counter-challenge
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 256
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: }4.3..,.p.......k.j....~.uv~R..J{.i.*R..`p....d.V..=...k...|.!......... ..G..{>....L.Mj.........|....ab..+...6F...Z..Z G.A.s._.....6..... ..z.R<vp75.$.]F.Si+#.Z....t6.........u<.1....b.....S^,.TQ.)e.DBg..J...[..#...z.H..I..s..x.f.H1^&u..Z...Y....;6Y..B....
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 16....
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: ..0c.^.4Bh.....i
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Authentication of client toto.rudder.local/192.168.41.3 achieved
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Receiving session key from client...
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 256...
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: z.?......Z..6Xx.2..*..}...~........1..Si...UP*s^~..&B..g..,..=....w.....jh.]....x.H.!8.,Pu...^...t..8... ......Y.hA..L...........u......v....c.....3.P8...=.D.9$.c..;wU....;j.....#..q.......5..8...''..l..JT)oas..>#..E............=N..2.....a....NE."E.....W..
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Received encrypted session key of 256 bytes, should decrypt to 16 bytes
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 152...
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: SSYNCH 136..........Z.#IC...zC$L\.Y...e....?>U.=..s......;..z....W<n..;n.:.cjGQU?-[...KP...~.u[Uy.4..j..1.....H.#.:......k...`..w:...3.ZQ....@...zk.qF*.
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Filename /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated is resolved to /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated
2016-03-15T13:27:40+0000 debug: 192.168.41.3> AccessControl, match (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,toto.rudder.local) encrypt request = 1
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/var/rudder/cfengine-community/masterfiles)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/var/rudder/tools)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/usr/share/ncf/tree)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/var/rudder/configuration-repository/ncf)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/var/rudder/configuration-repository/shared-files)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a)
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Found a matching rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated in /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Checking whether to map root privileges..
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Access granted to host: 192.168.41.3
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Host toto.rudder.local granted access to /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Clocks were off by 0
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Getting size of link deref ''
2016-03-15T13:27:40+0000 debug: 192.168.41.3> OK: type = 0, mode = 600, lmode = 0, uid = 0, gid = 0, size = 14, atime=1458040196, mtime = 1458040171
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 71
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: OK: 0 384 0 0 0 14 1458040196 1458040171 1458040173 0 202287091 1 64768
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 3
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: OK:
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 144...
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: SMD5 128........t.7...K...8.u.*.........=.l8.....'\...e.J.7.....?..f.Sz,........:z.DD......L..Qp.-..#.qp3a.........&!S.6 .3....^...d..g....V....
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Filename /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated is resolved to /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated
2016-03-15T13:27:40+0000 debug: 192.168.41.3> AccessControl, match (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,toto.rudder.local) encrypt request = 1
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/var/rudder/cfengine-community/masterfiles)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/var/rudder/tools)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/usr/share/ncf/tree)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/var/rudder/configuration-repository/ncf)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/var/rudder/configuration-repository/shared-files)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated,/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a)
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Found a matching rule in access list (/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated in /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Checking whether to map root privileges..
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Access granted to host: 192.168.41.3
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Host toto.rudder.local granted access to /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Hashes matched ok
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 9
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: CFD_FALSE
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 80....
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: SSYNCH 64.r/shar....Z.#IC...zC$L.X...TG.......#.T..b........C..@..m.M.../. O..z*
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Filename /usr/share/ncf/tree/ncf_hash_file is resolved to /usr/share/ncf/tree/ncf_hash_file
2016-03-15T13:27:40+0000 debug: 192.168.41.3> AccessControl, match (/usr/share/ncf/tree/ncf_hash_file,toto.rudder.local) encrypt request = 1
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/usr/share/ncf/tree/ncf_hash_file,/var/rudder/cfengine-community/masterfiles)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/usr/share/ncf/tree/ncf_hash_file,/var/rudder/tools)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/usr/share/ncf/tree/ncf_hash_file,/usr/share/ncf/tree)
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Found a matching rule in access list (/usr/share/ncf/tree/ncf_hash_file in /usr/share/ncf/tree)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Checking whether to map root privileges..
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Mapping root privileges to access non-root files
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Access granted to host: 192.168.41.3
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Host toto.rudder.local granted access to /usr/share/ncf/tree/ncf_hash_file
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Clocks were off by 0
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Getting size of link deref ''
2016-03-15T13:27:40+0000 debug: 192.168.41.3> OK: type = 0, mode = 600, lmode = 0, uid = 0, gid = 0, size = 44, atime=1458036333, mtime = 1457949664
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 69
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: OK: 0 384 0 0 0 44 1458036333 1457949664 1457949664 0 2068413 1 64768
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 3
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: OK:
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 72....
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: SMD5 56.........S...GF....8.z*.l..xrp.....)P..S...c.. g....2&...&.....AA
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Filename /usr/share/ncf/tree/ncf_hash_file is resolved to /usr/share/ncf/tree/ncf_hash_file
2016-03-15T13:27:40+0000 debug: 192.168.41.3> AccessControl, match (/usr/share/ncf/tree/ncf_hash_file,toto.rudder.local) encrypt request = 1
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/usr/share/ncf/tree/ncf_hash_file,/var/rudder/cfengine-community/masterfiles)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/usr/share/ncf/tree/ncf_hash_file,/var/rudder/tools)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/usr/share/ncf/tree/ncf_hash_file,/usr/share/ncf/tree)
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Found a matching rule in access list (/usr/share/ncf/tree/ncf_hash_file in /usr/share/ncf/tree)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Checking whether to map root privileges..
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Mapping root privileges to access non-root files
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Access granted to host: 192.168.41.3
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Host toto.rudder.local granted access to /usr/share/ncf/tree/ncf_hash_file
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Hashes matched ok
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 9
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: CFD_FALSE
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 96....
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: SSYNCH 80./ncf/t....Z.#IC...zC$L\.Y...e....?>U.=T.+..-_...6.....8.......v.1....W*...@I....G..`8.
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Filename /var/rudder/configuration-repository/ncf/ncf_hash_file is resolved to /var/rudder/configuration-repository/ncf/ncf_hash_file
2016-03-15T13:27:40+0000 debug: 192.168.41.3> AccessControl, match (/var/rudder/configuration-repository/ncf/ncf_hash_file,toto.rudder.local) encrypt request = 1
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/configuration-repository/ncf/ncf_hash_file,/var/rudder/cfengine-community/masterfiles)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/configuration-repository/ncf/ncf_hash_file,/var/rudder/tools)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/configuration-repository/ncf/ncf_hash_file,/usr/share/ncf/tree)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/configuration-repository/ncf/ncf_hash_file,/var/rudder/configuration-repository/ncf)
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Found a matching rule in access list (/var/rudder/configuration-repository/ncf/ncf_hash_file in /var/rudder/configuration-repository/ncf)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Checking whether to map root privileges..
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Mapping root privileges to access non-root files
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Access granted to host: 192.168.41.3
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Host toto.rudder.local granted access to /var/rudder/configuration-repository/ncf/ncf_hash_file
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Clocks were off by 0
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Getting size of link deref ''
2016-03-15T13:27:40+0000 debug: 192.168.41.3> OK: type = 0, mode = 600, lmode = 0, uid = 0, gid = 991, size = 44, atime=1458036333, mtime = 1457949664
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 73
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: OK: 0 384 0 0 991 44 1458036333 1457949664 1457949664 0 135398130 1 64768
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 3
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: OK:
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 96....
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: SMD5 80.........t.7...K...8.u.*..C..>..s.f.....-Z.......Wq_,.j....\b..&...VNy..b...........P..q.
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Filename /var/rudder/configuration-repository/ncf/ncf_hash_file is resolved to /var/rudder/configuration-repository/ncf/ncf_hash_file
2016-03-15T13:27:40+0000 debug: 192.168.41.3> AccessControl, match (/var/rudder/configuration-repository/ncf/ncf_hash_file,toto.rudder.local) encrypt request = 1
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/configuration-repository/ncf/ncf_hash_file,/var/rudder/cfengine-community/masterfiles)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/configuration-repository/ncf/ncf_hash_file,/var/rudder/tools)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/configuration-repository/ncf/ncf_hash_file,/usr/share/ncf/tree)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/configuration-repository/ncf/ncf_hash_file,/var/rudder/configuration-repository/ncf)
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Found a matching rule in access list (/var/rudder/configuration-repository/ncf/ncf_hash_file in /var/rudder/configuration-repository/ncf)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Checking whether to map root privileges..
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Mapping root privileges to access non-root files
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Access granted to host: 192.168.41.3
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Host toto.rudder.local granted access to /var/rudder/configuration-repository/ncf/ncf_hash_file
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Hashes matched ok
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 9
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: CFD_FALSE
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction header: t 60....
2016-03-15T13:27:40+0000 debug: 192.168.41.3> ReceiveTransaction data: SYNCH 1458048460 STAT /var/rudder/tools/rudder_tools_updated
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Filename /var/rudder/tools/rudder_tools_updated is resolved to /var/rudder/tools/rudder_tools_updated
2016-03-15T13:27:40+0000 debug: 192.168.41.3> AccessControl, match (/var/rudder/tools/rudder_tools_updated,toto.rudder.local) encrypt request = 1
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/tools/rudder_tools_updated,/var/rudder/cfengine-community/masterfiles)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Examining rule in access list (/var/rudder/tools/rudder_tools_updated,/var/rudder/tools)
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Found a matching rule in access list (/var/rudder/tools/rudder_tools_updated in /var/rudder/tools)
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Checking whether to map root privileges..
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Mapping root privileges to access non-root files
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Access granted to host: 192.168.41.3
2016-03-15T13:27:40+0000 verbose: 192.168.41.3> Host toto.rudder.local granted access to /var/rudder/tools/rudder_tools_updated
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Clocks were off by 0
2016-03-15T13:27:40+0000 debug: 192.168.41.3> Getting size of link deref ''
2016-03-15T13:27:40+0000 debug: 192.168.41.3> OK: type = 0, mode = 600, lmode = 0, uid = 0, gid = 0, size = 25, atime=1458040196, mtime = 1457949664
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 71
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: OK: 0 384 0 0 0 25 1458040196 1457949664 1457949664 0 135626959 1 64768
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction header: t 3
2016-03-15T13:27:40+0000 debug: 192.168.41.3> SendTransaction data: OK:
2016-03-15T13:27:40+0000 info: 192.168.41.3> Closed connection, terminating thread
----
2016-03-15T13:28:33+0000 debug: select(): 1
2016-03-15T13:28:33+0000 debug: Checking file updates for input file '/var/rudder/cfengine-community/inputs/promises.cf'
2016-03-15T13:28:33+0000 debug: No new promises found
2016-03-15T13:28:33+0000 debug: Socket descriptor returned from accept(): 7
2016-03-15T13:28:33+0000 verbose: Obtained IP address of '192.168.41.3' on socket 7 from accept
2016-03-15T13:28:33+0000 debug: Purging Old Connections...
2016-03-15T13:28:33+0000 debug: Done purging old connections
2016-03-15T13:28:33+0000 verbose: New connection (from 192.168.41.3, sd 7), spawning new thread...
2016-03-15T13:28:33+0000 debug: Waiting at incoming select...
2016-03-15T13:28:33+0000 info: 192.168.41.3> Accepting connection
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Setting socket timeout to 600 seconds.
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Peeked nothing important in TCP stream, considering the protocol as TLS
2016-03-15T13:28:33+0000 debug: 192.168.41.3> Peeked data: ...........V..
2016-03-15T13:28:33+0000 debug: 192.168.41.3> TLSVerifyCallback: no ssl->peer_cert
2016-03-15T13:28:33+0000 debug: 192.168.41.3> TLSVerifyCallback: no conn_info->key
2016-03-15T13:28:33+0000 debug: 192.168.41.3> This must be the initial TLS handshake, accepting
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> TLS cipher negotiated: AES256-GCM-SHA384, TLSv1/SSLv3
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> TLS session established, checking trust...
2016-03-15T13:28:33+0000 debug: 192.168.41.3> TLSRecvLines(): CFE_v2 cf-agent 3.6.5.
2016-03-15T13:28:33+0000 debug: 192.168.41.3> TLSRecvLines(): IDENTITY USERNAME=root.
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Setting IDENTITY: USERNAME=root
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Received public key compares equal to the one we have stored
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> MD5=af41e716d3a43ceb7ce6c55cf30111ab: Client is TRUSTED, public key MATCHES stored one.
2016-03-15T13:28:33+0000 info: 192.168.41.3> Hostname (reverse looked up): agent3.rudder.local
2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction header: t 127...
2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction data: SYNCH 1458048513 STAT /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Received: STAT /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Translated to: STAT /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated
2016-03-15T13:28:33+0000 debug: 192.168.41.3> Admit key due to rule: MD5=af41e716d3a43ceb7ce6c55cf30111ab
2016-03-15T13:28:33+0000 debug: 192.168.41.3> acl_CheckPath: '/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated' found in ACL entry '/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/', admit=true
2016-03-15T13:28:33+0000 debug: 192.168.41.3> Clocks were off by 0
2016-03-15T13:28:33+0000 debug: 192.168.41.3> Getting size of link deref ''
2016-03-15T13:28:33+0000 debug: 192.168.41.3> OK: type = 0, mode = 600, lmode = 0, uid = 0, gid = 0, size = 14, atime=1458040196, mtime = 1458040171
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 71
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: OK: 0 384 0 0 0 14 1458040196 1458040171 1458040173 0 202287091 1 64768
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 3
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: OK:
2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction header: t 127...
2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction data: MD5 /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated..=.+..G.2.....s.x
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Received: MD5 /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Translated to: MD5 /var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated
2016-03-15T13:28:33+0000 debug: 192.168.41.3> Admit key due to rule: MD5=af41e716d3a43ceb7ce6c55cf30111ab
2016-03-15T13:28:33+0000 debug: 192.168.41.3> acl_CheckPath: '/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/rules/cfengine-community/rudder_promises_generated' found in ACL entry '/var/rudder/share/f2146c02-2fbf-4520-a83a-6afc5517203a/', admit=true
2016-03-15T13:28:33+0000 debug: 192.168.41.3> Hashes matched ok
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 9
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: CFD_FALSE
2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction header: t 55....
2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction data: SYNCH 1458048513 STAT /usr/share/ncf/tree/ncf_hash_file
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Received: STAT /usr/share/ncf/tree/ncf_hash_file
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Translated to: STAT /usr/share/ncf/tree/ncf_hash_file
2016-03-15T13:28:33+0000 debug: 192.168.41.3> Admit IP due to rule: 192.168.41.0/24
2016-03-15T13:28:33+0000 debug: 192.168.41.3> acl_CheckPath: '/usr/share/ncf/tree/ncf_hash_file' found in ACL entry '/usr/share/ncf/tree/', admit=true
2016-03-15T13:28:33+0000 debug: 192.168.41.3> Clocks were off by 0
2016-03-15T13:28:33+0000 debug: 192.168.41.3> Getting size of link deref ''
2016-03-15T13:28:33+0000 debug: 192.168.41.3> OK: type = 0, mode = 600, lmode = 0, uid = 0, gid = 0, size = 44, atime=1458036333, mtime = 1457949664
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 69
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: OK: 0 384 0 0 0 44 1458036333 1457949664 1457949664 0 2068413 1 64768
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 3
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: OK:
2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction header: t 55....
2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction data: MD5 /usr/share/ncf/tree/ncf_hash_file.2X>.O;T...(...h..
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Received: MD5 /usr/share/ncf/tree/ncf_hash_file
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Translated to: MD5 /usr/share/ncf/tree/ncf_hash_file
2016-03-15T13:28:33+0000 debug: 192.168.41.3> Admit IP due to rule: 192.168.41.0/24
2016-03-15T13:28:33+0000 debug: 192.168.41.3> acl_CheckPath: '/usr/share/ncf/tree/ncf_hash_file' found in ACL entry '/usr/share/ncf/tree/', admit=true
2016-03-15T13:28:33+0000 debug: 192.168.41.3> Hashes matched ok
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 9
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: CFD_FALSE
2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction header: t 76....
2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction data: SYNCH 1458048513 STAT /var/rudder/configuration-repository/ncf/ncf_hash_file
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Received: STAT /var/rudder/configuration-repository/ncf/ncf_hash_file
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Translated to: STAT /var/rudder/configuration-repository/ncf/ncf_hash_file
2016-03-15T13:28:33+0000 debug: 192.168.41.3> Admit IP due to rule: 192.168.41.0/24
2016-03-15T13:28:33+0000 debug: 192.168.41.3> acl_CheckPath: '/var/rudder/configuration-repository/ncf/ncf_hash_file' found in ACL entry '/var/rudder/configuration-repository/ncf/', admit=true
2016-03-15T13:28:33+0000 debug: 192.168.41.3> Clocks were off by 0
2016-03-15T13:28:33+0000 debug: 192.168.41.3> Getting size of link deref ''
2016-03-15T13:28:33+0000 debug: 192.168.41.3> OK: type = 0, mode = 600, lmode = 0, uid = 0, gid = 991, size = 44, atime=1458036333, mtime = 1457949664
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 73
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: OK: 0 384 0 0 991 44 1458036333 1457949664 1457949664 0 135398130 1 64768
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 3
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: OK:
2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction header: t 76....
2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction data: MD5 /var/rudder/configuration-repository/ncf/ncf_hash_file.r.Y....'e.oB.5...
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Received: MD5 /var/rudder/configuration-repository/ncf/ncf_hash_file
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Translated to: MD5 /var/rudder/configuration-repository/ncf/ncf_hash_file
2016-03-15T13:28:33+0000 debug: 192.168.41.3> Admit IP due to rule: 192.168.41.0/24
2016-03-15T13:28:33+0000 debug: 192.168.41.3> acl_CheckPath: '/var/rudder/configuration-repository/ncf/ncf_hash_file' found in ACL entry '/var/rudder/configuration-repository/ncf/', admit=true
2016-03-15T13:28:33+0000 debug: 192.168.41.3> Hashes matched ok
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 9
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: CFD_FALSE
2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction header: t 60....
2016-03-15T13:28:33+0000 debug: 192.168.41.3> ReceiveTransaction data: SYNCH 1458048513 STAT /var/rudder/tools/rudder_tools_updated
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Received: STAT /var/rudder/tools/rudder_tools_updated
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Translated to: STAT /var/rudder/tools/rudder_tools_updated
2016-03-15T13:28:33+0000 debug: 192.168.41.3> Admit IP due to rule: 192.168.41.0/24
2016-03-15T13:28:33+0000 debug: 192.168.41.3> acl_CheckPath: '/var/rudder/tools/rudder_tools_updated' found in ACL entry '/var/rudder/tools/', admit=true
2016-03-15T13:28:33+0000 debug: 192.168.41.3> Clocks were off by 0
2016-03-15T13:28:33+0000 debug: 192.168.41.3> Getting size of link deref ''
2016-03-15T13:28:33+0000 debug: 192.168.41.3> OK: type = 0, mode = 600, lmode = 0, uid = 0, gid = 0, size = 25, atime=1458040196, mtime = 1457949664
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 71
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: OK: 0 384 0 0 0 25 1458040196 1457949664 1457949664 0 135626959 1 64768
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction header: t 3
2016-03-15T13:28:33+0000 debug: 192.168.41.3> SendTransaction data: OK:
2016-03-15T13:28:33+0000 verbose: 192.168.41.3> Remote peer terminated TLS session
2016-03-15T13:28:33+0000 info: 192.168.41.3> Closed connection, terminating thread
Updated by Nicolas CHARLES over 7 years ago
we can use both old and new protocol for access rules
Updated by Benoît PECCATTE over 7 years ago
And we have to, to support older agents.
Since acl are OR based ( !!! ) it will make transition easy.
Updated by Nicolas CHARLES over 7 years ago
- Status changed from New to Pending technical review
- Assignee set to Benoît PECCATTE
- Pull Request set to https://github.com/Normation/rudder-techniques/pull/1052
Updated by Benoît PECCATTE over 7 years ago
- Related to Architecture #6351: Agent recent enough should use their key to authenticate added
Updated by Nicolas CHARLES over 7 years ago
- Status changed from Pending technical review to Pending release
- % Done changed from 0 to 100
Applied in changeset rudder-techniques|6cbd1cb448c29f983138060700c8554505b1de00.
Updated by Benoît PECCATTE over 7 years ago
- Target version changed from 4.0.0~rc2 to 318
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 318 to 4.0.0~rc2
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 4.0.0~rc2 to 4.0.0~rc1
Updated by Alexis Mousset over 7 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 4.0.0 which was released the 10th November 2016.
Updated by Alexis Mousset about 7 years ago
- Has duplicate User story #7835: Enable TLS for file copy between server and agent added
Actions