Docs Puppet Enterprise Configuring Puppet Enterprise Configuring the console

Configuring the console

Sections

Configure the PE console and console-services

Console and console-services parameters
Password complexity parameters

Customize the HTTPS redirect target URL
Disable the HTTPS redirect

After installing Puppet Enterprise, you can change product settings to customize the console's behavior. Many settings can be configured in the console itself.

Configure the PE console and console-services

Configure the behavior of the console and console-services, as needed.

To configure settings in the console:

Click Node groups, and select the node group that contains the class you want to work with.
On the Classes tab, find the class you want to work with, select the Parameter name from the list and edit its value.
Click Add parameter and commit changes.
On the nodes hosting the primary server and console, run Puppet.

Console and console-services parameters

Use these parameters to customize the behavior of the console and console-services in the PE Console node group. Parameters that begin with puppet_enterprise::profile can be modified from the console itself.

puppet_enterprise::profile::console::classifier_synchronization_period: Integer representing, in seconds, the classifier synchronization period, which controls how long it takes the node classifier to retrieve classes from the primary server.; Default: "600" (seconds).
puppet_enterprise::profile::console::rbac_failed_attempts_lockout: Integer specifying how many failed login attempts are allowed on an account before that account is revoked.; Default: "10" (attempts).
puppet_enterprise::profile::console::rbac_password_reset_expiration: Integer representing, in hours, how long a user's generated token is valid for. An administrator generates this token for a user so that they can reset their password.; Default: "24" (hours).
puppet_enterprise::profile::console::rbac_session_timeout: Integer representing, in minutes, how long a user's session can last. The session length is the same for node classification, RBAC, and the console.; Default: "60" (minutes).
puppet_enterprise::profile::console::session_maximum_lifetime: Integer representing the maximum allowable period that a console session can be valid. To not expire before the maximum token lifetime, set to '0'.; Supported units are "s" (seconds), "m" (minutes), "h" (hours), "d" (days), "y" (years). Units are specified as a single letter following an integer, for example "1d"(1 day). If no units are specified, the integer is treated as seconds.
puppet_enterprise::profile::console::rbac_token_auth_lifetime: A value representing the default authentication lifetime for a token. It cannot exceed the rbac_token_maximum_lifetime. This is represented as a numeric value followed by "y" (years), "d" (days), "h" (hours), "m" (minutes), or "s" (seconds). The default is "1h".
puppet_enterprise::profile::console::rbac_token_maximum_lifetime: A value representing the maximum allowable lifetime for all tokens. This is represented as a numeric value followed by "y" (years), "d" (days), "h" (hours), "m" (minutes), or "s" (seconds). The default is "10y".
puppet_enterprise::profile::console::console_ssl_listen_port: Integer representing the port that the console is available on.; Default: [443]
puppet_enterprise::profile::console::ssl_listen_address: Nginx listen address for the console.; Default: "0.0.0.0"
puppet_enterprise::profile::console::classifier_prune_threshold: Integer representing the number of days to wait before pruning the size of the classifier database. If you set the value to "0", the node classifier service is never pruned.
puppet_enterprise::profile::console::classifier_node_check_in_storage: "true" to store an explanation of how nodes match each group they're classified into, or "false".; Default: "false"
puppet_enterprise::profile::console::display_local_time: "true" to display timestamps in local time, with hover text showing UTC time, or "false" to show timestamps in UTC time.; Default: "false"
puppet_enterprise::profile::console::disclaimer_content_path: Specifies the location of the disclaimer.txt file, which contains the disclaimer content that appears on the console login page.; Default: /etc/puppetlabs/console-services

Modify these configuration parameters in Hiera or pe.conf, not the console:

puppet_enterprise::api_port: SSL port that the node classifier is served on.; Default: [4433]
puppet_enterprise::console_services::no_longer_reporting_cutoff: Length of time, in seconds, before a node is considered unresponsive.; Default: 3600 (seconds)

console_admin_password: The password to log into the console, for example "myconsolepassword".; Default: Specified during installation.

Password complexity parameters

Use the console to configure the complexity requirements for new passwords created by local users.

Note: Changing password complexity requirements doesn't affect existing passwords for local users. Requirements are enforced when creating or updating a password only.

puppet_enterprise::profile::console::login_minimum_length: Integer specifying the number of characters required in a login/username. For example, usernames must have at least 6 characters.; Default: 1
puppet_enterprise::profile::console::password_minimum_length: Integer specifying the minimum number of characters required in a password. For example, passwords must have at least 8 characters.; Default: 8
puppet_enterprise::profile::console::letters_required: Integer specifying the number of letters required in a password. For example, passwords must have a minimum of 6 letters.; Default: 0
puppet_enterprise::profile::console::lowercase_letters_required: Integer specifying the number of lowercase letters required. For example,passwords must have at least 4 lowercase letters.; Default: 0
puppet_enterprise::profile::console::uppercase_letters_required: Integer specifying the number of uppercase letters required. For example, passwords must have at least 1 uppercase letter.; Default: 0
puppet_enterprise::profile::console::numbers_required: Integer specifying how many numbers must be in a password. For example, passwords must consist of at least 1 number.; Default: 0
puppet_enterprise::profile::console::special_characters_required: Integer specifying the number of special characters required. For example, passwords must have at least 1 special character, such as @, #, $, or !.; Default: 0
puppet_enterprise::profile::console::number_of_previous_passwords: Integer specifying the number of previous passwords unavailable for reuse. For example, a new password cannot be any of the previous 3 passwords.; Default: 0
puppet_enterprise::profile::console::username_substring_match: Boolean specifying whether to compare strings between logins/usernames and passwords in order to apply a substring_character_limit.; Default: false
puppet_enterprise::profile::console::substring_character_limit: Integer specifying how many consecutive characters from the login/username are allowed in the password. For example, passwords cannot include more than 3 consecutive characters from the user's login.; Default: 0

Manage the HTTPS redirect

By default, the console redirects to HTTPS when you attempt to connect over HTTP. You can customize the redirect target URL or disable redirection.

Customize the HTTPS redirect target URL

By default, the redirect target URL is the same as the FQDN of your primary server, but you can customize this redirect URL.

To change the target URL in the console:

Click Node groups, and select the PE Infrastructure node group.
On the Classes tab, find the puppet_enterprise::profile::console::proxy::http_redirect class, select the server_name parameter from the list, and change its value to the desired server.
Click Add parameter and commit changes.
On the nodes hosting the primary server and console, run Puppet.

Disable the HTTPS redirect

The pe-nginx webserver listens on port 80 by default. If you need to run your own service on port 80, you can disable the HTTPS redirect.

Add the following to your default .yaml file with the parameter set to false.

puppet_enterprise::profile::console::proxy::http_redirect::enable_http_redirect: falseCopied!

To compile changes, run puppet agent -t on the primary server.

Enable data editing in the console

The ability to edit configuration data in the console is enabled by default in new installations. If you upgrade from an earlier version and didn't previously have configuration data enabled, you must manually enable classifier configuration data, because enabling requires edits to your hiera.yaml file.

On your primary server, edit /etc/puppetlabs/puppet/hiera.yaml to add:
```
hierarchy: 
- name: "Classifier Configuration Data"
  data_hash: classifier_data        Copied!
```
Place any additional hierarchy entries, such as hiera-yaml or hiera-eyaml under the same hierarchy key, preferably below the Classifier Configuration Data entry.
Note: If you enable data editing in the console, add both Set environment and Edit configuration data to groups that set environment or modify class parameters in order for users to make changes.
If your environment is configured for disaster recovery, update hiera.yaml on your replica.

Add custom PQL queries to the console

Add your own PQL queries to the console and quickly access them when running jobs.

On the primary sever, as root, copy the custom_pql_queries.json.example file and remove the example suffix.

cp
/etc/puppetlabs/console-services/custom_pql_queries.json.example 
/etc/puppetlabs/console-services/custom_pql_queries.jsonCopied!

Edit the file contents to include your own PQL queries or remove any existing queries.
Refresh the console UI in your browser.

Results

You can now see your custom queries in the PQL drop down options when running jobs.