Merge branch 'ticket/2.7.x/7108' into 2.7.x

2 files changed, 17 insertions, 32 deletions

diff --git a/lib/puppet/application/kick.rb b/lib/puppet/application/kick.rb
index 536699442..4f3ed1802 100644
--- a/lib/puppet/application/kick.rb
+++ b/lib/puppet/application/kick.rb
@@ -76,31 +76,16 @@ copy things like LDAP settings.
 
 USAGE NOTES
 -----------
-'puppet kick' is useless unless 'puppet agent' is listening. See its
-documentation for more information, but the gist is that you must enable
-'listen' on the 'puppet agent' daemon, either using '--listen' on the
-command line or adding 'listen = true' in its config file. In addition,
-you need to set the daemons up to specifically allow connections by
-creating the 'namespaceauth' file, normally at
-'/etc/puppet/namespaceauth.conf'. This file specifies who has access to
-each namespace; if you create the file you must add every namespace you
-want any Puppet daemon to allow -- it is currently global to all Puppet
-daemons.
-
-An example file looks like this:
-
-    [fileserver]
-        allow *.madstop.com
-
-    [puppetmaster]
-        allow *.madstop.com
-
-    [puppetrunner]
-        allow culain.madstop.com
-
-This is what you would install on your Puppet master; non-master hosts
-could leave off the 'fileserver' and 'puppetmaster' namespaces.
-
+Puppet kick is useless unless puppet agent is listening for incoming
+connections and allowing access to the `run` endpoint. This entails
+starting the agent with `listen = true` in its puppet.conf file, and
+allowing access to the `/run` path in its auth.conf file; see
+`http://docs.puppetlabs.com/guides/rest_auth_conf.html` for more
+details.
+
+Additionally, due to a known bug, you must make sure a
+namespaceauth.conf file exists in puppet agent's $confdir. This file
+will not be consulted, and may be left empty.  
 
 OPTIONS
 -------
diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index dbd5a9437..139c3c763 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -418,7 +418,7 @@ module Puppet
       :desc => "Where the puppet master web server logs."
     },
     :masterport => [8140, "Which port puppet master listens on."],
-    :node_name => ["cert", "How the puppetmaster determines the client's identity
+    :node_name => ["cert", "How the puppet master determines the client's identity
       and sets the 'hostname', 'fqdn' and 'domain' facts for use in the manifest,
       in particular for determining which 'node' statement applies to the client.
       Possible values are 'cert' (use the subject's CN in the client's
@@ -528,10 +528,10 @@ module Puppet
     :runinterval => [1800, # 30 minutes
       "How often puppet agent applies the client configuration; in seconds."],
     :listen => [false, "Whether puppet agent should listen for
-      connections.  If this is true, then by default only the
-      `runner` server is started, which allows remote authorized
-      and authenticated nodes to connect and trigger `puppet agent`
-      runs."],
+      connections.  If this is true, then puppet agent will accept incoming
+      REST API requests, subject to the default ACLs and the ACLs set in 
+      the `rest_authconfig` file. Puppet agent can respond usefully to
+      requests on the `run`, `facts`, `certificate`, and `resource` endpoints."],
     :ca_server => ["$server", "The server to use for certificate
       authority requests.  It's a separate server because it cannot
       and does not need to horizontally scale."],
@@ -628,8 +628,8 @@ module Puppet
     :graphdir => ["$statedir/graphs", "Where to store dot-outputted graphs."],
     :http_compression => [false, "Allow http compression in REST communication with the master.
       This setting might improve performance for agent -> master communications over slow WANs.
-      Your puppetmaster needs to support compression (usually by activating some settings in a reverse-proxy
-      in front of the puppetmaster, which rules out webrick).
+      Your puppet master needs to support compression (usually by activating some settings in a reverse-proxy
+      in front of the puppet master, which rules out webrick).
       It is harmless to activate this settings if your master doesn't support
       compression, but if it supports it, this setting might reduce performance on high-speed LANs."]
   )