Hi Alex,
Not sure about the 'Not Authorized' error message, but the URI you're
using to retrieve the file seems wrong.
Based on Puppet official doc[1], the correct pattern is :
puppet:///modules/name_of_module/filename
But the one you're using is more like :
puppet:///name_of_module/path/to/filename
Note the missing leading modules/ part of the URI.
Hope it helps,
--
Yanis Guenane
On 09/05/2014 04:39 PM, Alex Wacker wrote:
> Hello,
>
> I am currently having the following problem and have not been able to track
> down the cause in all my searches online. I have a script file located in a
> module I have written that the client appears to be unable to get.
>
> Error: /Stage[main]/modulename/File[remove_script]: Could not evaluate:
> Could not retrieve file metadata for
> puppet:///modulename/scripts/remove_script.sh:
> Error 400 on SERVER: Not authorized to call find on
> /file_metadata/modulename/scripts/remove_script.sh with
> {:source_permissions=>"use", :links=>"manage"}
> Wrapped exception:
> Error 400 on SERVER: Not authorized to call find on /file_metadata/
> modulename/scripts/remove_script.sh with {:source_permissions=>"use", :links
> =>"manage"}
>
> auth.conf file contents
>
> # This is the default auth.conf file, which implements the default rules
> # used by the puppet master. (That is, the rules below will still apply
> # even if this file is deleted.)
> #
> # The ACLs are evaluated in top-down order. More specific stanzas should
> # be towards the top of the file and more general ones at the bottom;
> # otherwise, the general rules may "steal" requests that should be
> # governed by the specific rules.
> #
> # See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more
> complete
> # description of auth.conf's behavior.
> #
> # Supported syntax:
> # Each stanza in auth.conf starts with a path to match, followed
> # by optional modifiers, and finally, a series of allow or deny
> # directives.
> #
> # Example Stanza
> # ---------------------------------
> # path /path/to/resource # simple prefix match
> # # path ~ regex # alternately, regex match
> # [environment envlist]
> # [method methodlist]
> # [auth[enthicated] {yes|no|on|off|any}]
> # allow [host|backreference|*|regex]
> # deny [host|backreference|*|regex]
> # allow_ip [ip|cidr|ip_wildcard|*]
> # deny_ip [ip|cidr|ip_wildcard|*]
> #
> # The path match can either be a simple prefix match or a regular
> # expression. `path /file` would match both `/file_metadata` and
> # `/file_content`. Regex matches allow the use of backreferences
> # in the allow/deny directives.
> #
> # The regex syntax is the same as for Ruby regex, and captures
> backreferences
> # for use in the `allow` and `deny` lines of that stanza
> #
> # Examples:
> #
> # path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`.
> # allow * # Allow all authenticated nodes (since auth
> # # defaults to `yes`).
> #
> # path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog
> (by
> # allow $1 # certname), but not any other node's
> catalog.
> #
> # path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes
> to
> # auth yes # access the "extra_files"
> # allow /^(.+)\.example\.com$/ # mount point; note this
> must
> # allow_ip 192.168.100.0/24 # go ABOVE the "/file"
> rule,
> # # since it is more
> specific.
> #
> # environment:: restrict an ACL to a comma-separated list of environments
> # method:: restrict an ACL to a comma-separated list of HTTP methods
> # auth:: restrict an ACL to an authenticated or unauthenticated request
> # the default when unspecified is to restrict the ACL to authenticated
> requests
> # (ie exactly as if auth yes was present).
> #
>
> ### Authenticated ACLs - these rules apply only when the client
> ### has a valid certificate and is thus authenticated
>
> # allow nodes to retrieve their own catalog
> path ~ ^/catalog/([^/]+)$
> method find
> allow $1
>
> # allow nodes to retrieve their own node definition
> path ~ ^/node/([^/]+)$
> method find
> allow $1
>
> # allow all nodes to access the certificates services
> path /certificate_revocation_list/ca
> method find
> allow *
>
> # allow all nodes to store their own reports
> path ~ ^/report/([^/]+)$
> method save
> allow $1
>
> # Allow all nodes to access all file services; this is necessary for
> # pluginsync, file serving from modules, and file serving from custom
> # mount points (see fileserver.conf). Note that the `/file` prefix matches
> # requests to both the file_metadata and file_content paths. See "Examples"
> # above if you need more granular access control for custom mount points.
> path /file
> allow *
>
> path ~ ^/file_(metadata|content)/files/
> auth yes
> allow *
>
>
> ### Unauthenticated ACLs, for clients without valid certificates;
> authenticated
> ### clients can also access these paths, though they rarely need to.
>
> # allow access to the CA certificate; unauthenticated nodes need this
> # in order to validate the puppet master's certificate
> path /certificate/ca
> auth any
> method find
> allow *
>
> # allow nodes to retrieve the certificate they requested earlier
> path /certificate/
> auth any
> method find
> allow *
>
> # allow nodes to request a new certificate
> path /certificate_request
> auth any
> method find, save
> allow *
>
>
> path /v2.0/environments
> method find
> allow *
>
> # deny everything else; this ACL is not strictly necessary, but
> # illustrates the default policy.
> path /
> auth any
>
> fileserver.conf contents
>
> # fileserver.conf
>
> # Puppet automatically serves PLUGINS and FILES FROM MODULES: anything in
> # <module name>/files/<file name> is available to authenticated nodes at
> # puppet:///modules/<module name>/<file name>. You do not need to edit this
> # file to enable this.
>
> # MOUNT POINTS
>
> # If you need to serve files from a directory that is NOT in a module,
> # you must create a static mount point in this file:
> #
> # [extra_files]
> # path /etc/puppet/files
> # allow *
> #
> # In the example above, anything in /etc/puppet/files/<file name> would be
> # available to authenticated nodes at puppet:///extra_files/<file name>.
> #
> # Mount points may also use three placeholders as part of their path:
> #
> # %H - The node's certname.
> # %h - The portion of the node's certname before the first dot. (Usually the
> # node's short hostname.)
> # %d - The portion of the node's certname after the first dot. (Usually the
> # node's domain name.)
>
> # PERMISSIONS
>
> # Every static mount point should have an `allow *` line; setting more
> # granular permissions in this file is deprecated. Instead, you can
> # control file access in auth.conf by controlling the
> # /file_metadata/<mount point> and /file_content/<mount point> paths:
> #
> # path ~ ^/file_(metadata|content)/extra_files/
> # auth yes
> # allow /^(.+)\.example\.com$/
> # allow_ip 192.168.100.0/24
> #
> # If added to auth.conf BEFORE the "path /file" rule, the rule above
> # will add stricter restrictions to the extra_files mount point.Enter code
> here...
>
> The install is pretty much a default open source install with almost
> nothing changed. Would appreciate any help anyone could provide.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/540CFC9A.7070607%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
