Configure the console

After installing Puppet Enterprise (PE), you can change product settings to customize the PE console's behavior. You can configure many of these settings directly in the console.

Configure the PE console and console-services

You can configure the behavior of the console and the console-services service.

You can set Password complexity parameters and a variety of other Console and console-services parameters, such as rbac_token_maximum_lifetime or display_local_time.

Parameters are set in the PE console, with Hiera, or in pe.conf. To configure settings in the PE console:

  1. Click Node groups, and select the node group that contains the class you want to configure.
  2. On the Classes tab, find the class you want to work with, select the Parameter name from the list and edit its value.
  3. Click Add parameter and commit changes.
  4. On the nodes hosting your primary server and PE console, run Puppet.
    Tip: There are several ways to Run Puppet on demand.

Console and console-services parameters

In the PE Console node group, these parameters customize the behavior of the console and the console-services service.

You can modify parameters that begin with puppet_enterprise::profile in the PE console.

puppet_enterprise::profile::console::classifier_synchronization_period
An integer representing, in seconds, the classifier synchronization period. This controls how long the node classifier can take to retrieve classes from the primary server.
Default: 600
puppet_enterprise::profile::console::ldap_sync_period_seconds
An integer specifying, in seconds, the interval at which LDAP user details and group membership associations are synchronized.
The default value is 1800 (30 minutes).
This synchronization refreshes the user details and group membership for every LDAP user in the system, regardless of the last time the user logged in. If a user is no longer present in LDAP, all user-group associations are removed from the user and all of the user's known tokens are revoked.
To disable automatic synchronization, set the value to 0 or a negative integer. When disabled, user details and group membership only refresh when the user logs in.
When enabled, various entries are recorded to console-services.log that indicate whether the service is enabled and when each synchronization event has completed.
puppet_enterprise::profile::console::ldap_cipher_suites
An array specifying the ciphers to use when establishing connections to configured LDAP servers.
Default: $puppet_enterprise::ssl_cipher_suites. This default value captures the array of ciphers specified by the puppet_enterprise::ssl_cipher_suites parameter. For information on ciphers you can use for console services, see Compatible ciphers.
puppet_enterprise::profile::console::rbac_failed_attempts_lockout
An integer specifying how many failed login attempts are allowed on an account before the account is revoked.
Default: 10
puppet_enterprise::profile::console::rbac_password_reset_expiration
An integer representing the number of hours that password reset tokens are valid.
An administrator generates these token for users to reset their passwords.
Default: 24
puppet_enterprise::profile::console::rbac_session_timeout
An integer representing, in minutes, how long a user's session can last.
The session length is the same for node classification, RBAC, and the console.
Default: 60
puppet_enterprise::profile::console::session_maximum_lifetime
A string representing how long a console session can last.
The value is formatted as a string consisting of a number and an optional suffix representing a unit of time: s (seconds), m (minutes), h (hours), d (days), or y (years).
Example: "1d" (one day)
If the suffix is omitted, the default unit of time is seconds.
A value of "0" sets an unlimited console session time.
To prevent console sessions from expiring before the maximum RBAC token lifetime, set this parameter to "0".
puppet_enterprise::profile::console::session_timeout_warning_seconds
An integer specifying, in seconds, the interval after the timeout warning message appears until the console session expires due to inactivity.
Default: 120
puppet_enterprise::profile::console::session_timeout_polling_frequency_seconds
An integer specifying, in seconds, the interval at which the UI polls the server to determine whether the user is active.
Default: 60
puppet_enterprise::profile::console::rbac_token_auth_lifetime
A string representing the default authentication lifetime for a token.
The value is formatted as a string consisting of a number followed by a suffix representing a unit of time: y (years), d (days), h (hours), m (minutes), or s (seconds).
Important: This value cannot exceed the rbac_token_maximum_lifetime.
Default: "1h" (one hour)
puppet_enterprise::profile::console::rbac_token_maximum_lifetime
A string representing the maximum allowable lifetime for all tokens.
The value is formatted as a string consisting of a number followed by a suffix representing a unit of time: y (years), d (days), h (hours), m (minutes), or s (seconds).
Default: 10y (10 years)
puppet_enterprise::profile::console::console_ssl_listen_port
An integer representing the port that the console listens on.
Default: 443
puppet_enterprise::profile::console::ssl_listen_address
A string containing an IP address repesenting the console's NGINX listen address.
Default: "0.0.0.0"
puppet_enterprise::profile::console::classifier_prune_threshold
An integer representing the number of days to wait before pruning the node classifier database. The node classifier database contains node check-in history if classifier_node_check_in_storage is enabled.
Set the value to 0 to never prune the node classifier database.
Default: 7 (days), but only has data to prune if classifier_node_check_in_storage is true.
puppet_enterprise::profile::console::classifier_node_check_in_storage
A Boolean specifying whether to create records when nodes check in with the node classifier. These records describe how nodes match the node groups they're classified into.
Set to true to enable node check-in storage. Enabling this parameter is required to use Nodes check-in history endpoints.
Set to false to disable node check-in storage.
Default: false
puppet_enterprise::profile::console::display_local_time
A Boolean indicating whether to show timestamps in the local time or UTC.
Set to true to display timestamps in local time with hover text showing the equivalent UTC time.
Set to false to show timestamps in UTC time with no hover text.
Default: false
puppet_enterprise::profile::console::disclaimer_content_path
Specifies the location of the disclaimer.txt file containing disclaimer content that can appear on the console login page if you Create a custom login disclaimer.
Default: "/etc/puppetlabs/console-services"
Tip: You can also use the RBAC API Disclaimer endpoints to configure the disclaimer without needing to reference a specific file location on disk.
The parameters must be set in Hiera or pe.conf, not the console:
puppet_enterprise::api_port
An integer specifying the SSL port that the node classifier is served on.
Default: 4433
puppet_enterprise::console_services::no_longer_reporting_cutoff
Length of time, in seconds, before a node is considered unresponsive.
Default: 3600 (seconds)
For more information, refer to Node run statuses.
console_admin_password
The password to log into the console as the admin.
Example: "myconsolepassword"
Default: Specified during installation.
Tip: You can also Reset the console administrator password from the command line.

Password complexity parameters

These parameters set complexity requirements for new passwords created by local users.

Important: Changing password complexity requirements doesn't impact local users' existing passwords. Requirements are enforced only when creating or changing a password.
puppet_enterprise::profile::console::login_minimum_length
An integer specifying the minimum number of characters required in a login (user name). For example, user names must be at least six characters.
Default: 1
puppet_enterprise::profile::console::password_minimum_length
An integer specifying the minimum number of characters required in a password. For example, passwords must be at least eight characters.
Default: 8
puppet_enterprise::profile::console::letters_required
An integer specifying the minimum number of letter characters required in a password. For example, passwords must have at least one letter.
Default: 0
puppet_enterprise::profile::console::lowercase_letters_required
An integer specifying the minimum number of lowercase letter characters required in a password. For example, passwords must have at least one lowercase letter.
Default: 0
puppet_enterprise::profile::console::uppercase_letters_required
An integer specifying the minimum number of capital letter characters required in a password. For example, passwords must have at least one capital letter.
Default: 0
puppet_enterprise::profile::console::numbers_required
An integer specifying the minimum number of number characters required in a password. For example, passwords must have at least one number, 0 through 9.
Default: 0
puppet_enterprise::profile::console::special_characters_required
An integer specifying the minimum number of special characters required in a password, such as @, #, $, or !. For example, passwords must have at least one special character.
Default: 0
puppet_enterprise::profile::console::number_of_previous_passwords
An integer specifying the number of previous passwords the system remembers so they can't be reused when a user changes their password. For example, a users new password can't be the same as any of the user's previous three passwords.
Default: 0
puppet_enterprise::profile::console::username_substring_match
A Boolean specifying whether to compare logins (user names) and passwords for uniqueness.
Set to true to apply the substring_character_limit and prevent users from creating login-password combinations where the password is completely or partially the same as the login.
Default: false
puppet_enterprise::profile::console::substring_character_limit
An integer specifying how many consecutive characters from the login (user name) can appear in the password. For example, passwords cannot include more than three consecutive characters from the login.
Default: 0

For RBAC-related parameters, such as rbac_failed_attempts_lockout, refer to Console and console-services parameters and Configure RBAC and token-based authentication settings.

Manage the HTTPS redirect

By default, the Puppet Enterprise (PE) console redirects to HTTPS when you attempt to connect over HTTP. You can customize the redirect target URL or disable redirection.

Set the HTTPS redirect target URL

The default redirect target URL is your primary server's FQDN. You can customize the redirect URL.

To change the redirect target URL:
  1. In the PE console, click Node groups and select the PE Infrastructure node group.
  2. On the Classes tab, find the puppet_enterprise::profile::console::proxy::http_redirect class.
  3. Add the server_name parameter and change the value to the desired server.
  4. Click Add parameter and commit changes.
  5. On the nodes hosting your primary server and PE console, run Puppet.
    Tip: There are several ways to Run Puppet on demand.

Disable the HTTPS redirect

By default, the pe-nginx webserver listens on port 80. If you need to run your own service on port 80, you can use Hiera to disable the HTTPS redirect.

  1. Open your default Hiera .yaml file in a text editor.
    Tip: For information about Hiera data files, including file paths, refer to Configure settings with Hiera.
  2. Add the enable_http_redirect parameter and set to false. For example:
    puppet_enterprise::profile::console::proxy::http_redirect::enable_http_redirect: false
  3. Save the file and run puppet agent -t to compile the changes.

Enable data editing in the console

In new Puppet Enterprise (PE) installations, you can, by default, edit configuration data in the console. If you upgraded from an earlier PE version where you hadn't already enabled editing of configuration data, you must use Hiera to manually enable Classifier Configuration Data.

  1. On your primary server, open the hiera.yaml file located at: /etc/puppetlabs/puppet/hiera.yaml.
  2. Add the following to the hiera.yaml file:
    hierarchy: 
    - name: "Classifier Configuration Data"
      data_hash: classifier_data

    Place additional hierarchy entries, such as hiera-yaml or hiera-eyaml under the same hierarchy key, below the Classifier Configuration Data entry.

  3. To allow users to edit the configuration data in the console, add the Set environment and Edit configuration data permissions to any user groups that need to set environment parameters or modify class parameters.
  4. If your environment is configured for disaster recovery or has compilers, update hiera.yaml on your replica and compilers, respectively.

Add custom PQL queries to the console

Add your own Puppet Query Language (PQL) queries to the console to quickly access them when running jobs.

For help forming queries, go to the PQL Reference guide in the Puppet documentation.
  1. On the primary server, copy the custom_pql_queries.json.example file, and remove the .example suffix. For example, you can use this command:
    sudo cp
    /etc/puppetlabs/console-services/custom_pql_queries.json.example 
    /etc/puppetlabs/console-services/custom_pql_queries.json
  2. Edit the file contents to include your own PQL queries or remove any existing queries.
  3. Refresh the console UI in your browser.
Results
You can now see your custom queries in the PQL drop-down options when running jobs.