I am using Puppet v5.5.13 and am receiving the following error. Any help
would be appreciated.
*Error: /Stage[main]/Profiles::Base/File[/etc/bashrc]: Could not evaluate:
Could not retrieve file metadata for puppet:///files/etcbashrc: Error 500
on SERVER: Server Error: Not authorized to call find on
/file_metadata/files/etcbashrc with {:rest=>"files/etcbashrc",
:links=>"manage", :checksum_type=>"md5", :source_permissions=>"ignore"}*
*My auth.conf looks like:*
authorization: {
version: 1
allow-header-cert-info: false
rules: [
{
# Allow file metadata
match-request: {
path: "^/file_(metadata|content)/files/"
type: regex
}
allow: "*"
sort-order: 400
name: "access to all file metadata"
},
{
# Allow any file access
match-request: {
path: "^/puppet/v3/file_(content|metadata)s?/files"
type: regex
method: [get, post]
}
allow: "*"
sort-order: 400
name: "access to all files"
},
{
# Allow nodes to retrieve their own catalog
match-request: {
path: "^/puppet/v3/catalog/([^/]+)$"
type: regex
method: [get, post]
}
allow: ["$1"]
sort-order: 500
name: "puppetlabs catalog"
},
{
# Allow nodes to retrieve the certificate they requested earlier
match-request: {
path: "/puppet-ca/v1/certificate/"
type: path
method: get
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs certificate"
},
{
# Allow all nodes to access the certificate revocation list
match-request: {
path: "/puppet-ca/v1/certificate_revocation_list/ca"
type: path
method: get
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs crl"
},
{
# Allow nodes to request a new certificate
match-request: {
path: "/puppet-ca/v1/certificate_request"
type: path
method: [get, put]
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs csr"
},
{
# Allow the CA CLI to access the certificate_status endpoint
match-request: {
path: "/puppet-ca/v1/certificate_status"
type: path
method: [get, put, delete]
}
allow: [
"localhost",
"example.com",
{
extensions: {
pp_cli_auth: "true"
}
}
]
sort-order: 500
name: "puppetlabs cert status"
},
{
# Allow the CA CLI to access the certificate_statuses endpoint
match-request: {
path: "/puppet-ca/v1/certificate_statuses"
type: path
method: get
}
allow: [
"localhost",
"example.com",
{
extensions: {
pp_cli_auth: "true"
}
}
]
sort-order: 500
name: "puppetlabs cert statuses"
},
{
# Allow unauthenticated access to the status service endpoint
match-request: {
path: "/status/v1/services"
type: path
method: get
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs status service - full"
},
{
match-request: {
path: "/status/v1/simple"
type: path
method: get
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs status service - simple"
},
{
match-request: {
path: "/puppet-admin-api/v1/environment-cache"
type: path
method: delete
}
allow: [
"localhost",
"example.com",
]
sort-order: 200
name: "environment-cache"
},
{
match-request: {
path: "/puppet-admin-api/v1/jruby-pool"
type: path
method: delete
}
allow: [
"localhost",
"example.com",
]
sort-order: 200
name: "jruby-pool"
},
{
match-request: {
path: "/puppet/v3/environments"
type: path
method: get
}
allow: "*"
sort-order: 500
name: "puppetlabs environments"
},
{
match-request: {
path: "/puppet/v3/environment_classes"
type: path
method: get
}
allow: "*"
sort-order: 500
name: "puppetlabs environment classes"
},
{
# Allow nodes to access all file_bucket_files. Note that
access for
# the 'delete' method is forbidden by Puppet regardless of the
# configuration of this rule.
match-request: {
path: "/puppet/v3/file_bucket_file"
type: path
method: [get, head, post, put]
}
allow: "*"
sort-order: 500
name: "puppetlabs file bucket file"
},
{
# Allow nodes to access all file_content. Note that access for
the
# 'delete' method is forbidden by Puppet regardless of the
# configuration of this rule.
match-request: {
path: "/puppet/v3/file_content"
type: path
method: [get, post]
}
allow: "*"
sort-order: 500
name: "puppetlabs file content"
},
{
# Allow nodes to access all file_metadata. Note that access
for the
# 'delete' method is forbidden by Puppet regardless of the
# configuration of this rule.
match-request: {
path: "/puppet/v3/file_metadata"
type: path
method: [get, post]
}
allow: "*"
sort-order: 500
name: "puppetlabs file metadata"
},
{
# Allow nodes to access all file_content. Note that access for
the
# 'delete' method is forbidden by Puppet regardless of the
# configuration of this rule.
match-request: {
path: "/puppet/v3/files/"
type: path
method: [get, post]
}
allow: "*"
sort-order: 500
name: "puppet file content"
},
{
# Allow nodes to access all file_content. Note that access for
the
# 'delete' method is forbidden by Puppet regardless of the
# configuration of this rule.
match-request: {
path: "/files/"
type: path
method: [get, post]
}
allow: "*"
sort-order: 500
name: "puppets file content"
},
{
# Allow nodes to retrieve only their own node definition
match-request: {
path: "^/puppet/v3/node/([^/]+)$"
type: regex
method: get
}
allow: "$1"
sort-order: 500
name: "puppetlabs node"
},
{
# Allow nodes to store only their own reports
match-request: {
path: "^/puppet/v3/report/([^/]+)$"
type: regex
method: put
}
allow: "$1"
sort-order: 500
name: "puppetlabs report"
},
{
# Allow nodes to update their own facts
match-request: {
path: "^/puppet/v3/facts/([^/]+)$"
type: regex
method: put
}
allow: "$1"
sort-order: 500
name: "puppetlabs facts"
},
{
match-request: {
path: "/puppet/v3/status"
type: path
method: get
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs status"
},
{
match-request: {
path: "/puppet/v3/static_file_content"
type: path
method: get
}
allow: "*"
sort-order: 500
name: "puppetlabs static file content"
},
{
match-request: {
path: "/puppet/v3/tasks"
type: path
}
allow: "*"
sort-order: 500
name: "puppet tasks information"
},
{
# Allow all users access to the experimental endpoint
# which currently only provides a dashboard web ui.
match-request: {
path: "/puppet/experimental"
type: path
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs experimental"
},
{
match-request: {
path: "/puppet/files"
type: path
}
allow: "*"
sort-order: 500
name: "puppet"
},
{
match-request: {
path: "/puppet/file_metadata"
type: path
}
allow: "*"
sort-order: 500
name: "puppet_metadata"
}
]
}
If anything is needed to help troubleshoot let me know and I will be happy
to post.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/23758765-5aa2-4969-aa86-759cdded31fd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
