Error: /Stage[main]/Profiles::Base/File[/etc/bashrc]: Could not evaluate: Could not retrieve file metadata for puppet:///files/etcbashrc: Error 500 on SERVER: Server Error: Not authorized to call find on /file_metadata/files/etcbashrc with {:rest=>"files/etcbashrc", :links=>"manage", :checksum_type=>"md5", :source_permissions=>"ignore"}
My auth.conf looks like:
authorization: {
version: 1
allow-header-cert-info: false
rules: [
{
# Allow file metadata
match-request: {
path: "^/file_(metadata|content)/files/"
type: regex
}
allow: "*"
sort-order: 400
name: "access to all file metadata"
},
{
# Allow any file access
match-request: {
path: "^/puppet/v3/file_(content|metadata)s?/files"
type: regex
method: [get, post]
}
allow: "*"
sort-order: 400
name: "access to all files"
},
{
# Allow nodes to retrieve their own catalog
match-request: {
path: "^/puppet/v3/catalog/([^/]+)$"
type: regex
method: [get, post]
}
allow: ["$1"]
sort-order: 500
name: "puppetlabs catalog"
},
{
# Allow nodes to retrieve the certificate they requested earlier
match-request: {
path: "/puppet-ca/v1/certificate/"
type: path
method: get
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs certificate"
},
{
# Allow all nodes to access the certificate revocation list
match-request: {
path: "/puppet-ca/v1/certificate_revocation_list/ca"
type: path
method: get
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs crl"
},
{
# Allow nodes to request a new certificate
match-request: {
path: "/puppet-ca/v1/certificate_request"
type: path
method: [get, put]
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs csr"
},
{
# Allow the CA CLI to access the certificate_status endpoint
match-request: {
path: "/puppet-ca/v1/certificate_status"
type: path
method: [get, put, delete]
}
allow: [
"localhost",
"example.com",
{
extensions: {
pp_cli_auth: "true"
}
}
]
sort-order: 500
name: "puppetlabs cert status"
},
{
# Allow the CA CLI to access the certificate_statuses endpoint
match-request: {
path: "/puppet-ca/v1/certificate_statuses"
type: path
method: get
}
allow: [
"localhost",
"example.com",
{
extensions: {
pp_cli_auth: "true"
}
}
]
sort-order: 500
name: "puppetlabs cert statuses"
},
{
# Allow unauthenticated access to the status service endpoint
match-request: {
path: "/status/v1/services"
type: path
method: get
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs status service - full"
},
{
match-request: {
path: "/status/v1/simple"
type: path
method: get
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs status service - simple"
},
{
match-request: {
path: "/puppet-admin-api/v1/environment-cache"
type: path
method: delete
}
allow: [
"localhost",
"example.com",
]
sort-order: 200
name: "environment-cache"
},
{
match-request: {
path: "/puppet-admin-api/v1/jruby-pool"
type: path
method: delete
}
allow: [
"localhost",
"example.com",
]
sort-order: 200
name: "jruby-pool"
},
{
match-request: {
path: "/puppet/v3/environments"
type: path
method: get
}
allow: "*"
sort-order: 500
name: "puppetlabs environments"
},
{
match-request: {
path: "/puppet/v3/environment_classes"
type: path
method: get
}
allow: "*"
sort-order: 500
name: "puppetlabs environment classes"
},
{
# Allow nodes to access all file_bucket_files. Note that access for
# the 'delete' method is forbidden by Puppet regardless of the
# configuration of this rule.
match-request: {
path: "/puppet/v3/file_bucket_file"
type: path
method: [get, head, post, put]
}
allow: "*"
sort-order: 500
name: "puppetlabs file bucket file"
},
{
# Allow nodes to access all file_content. Note that access for the
# 'delete' method is forbidden by Puppet regardless of the
# configuration of this rule.
match-request: {
path: "/puppet/v3/file_content"
type: path
method: [get, post]
}
allow: "*"
sort-order: 500
name: "puppetlabs file content"
},
{
# Allow nodes to access all file_metadata. Note that access for the
# 'delete' method is forbidden by Puppet regardless of the
# configuration of this rule.
match-request: {
path: "/puppet/v3/file_metadata"
type: path
method: [get, post]
}
allow: "*"
sort-order: 500
name: "puppetlabs file metadata"
},
{
# Allow nodes to access all file_content. Note that access for the
# 'delete' method is forbidden by Puppet regardless of the
# configuration of this rule.
match-request: {
path: "/puppet/v3/files/"
type: path
method: [get, post]
}
allow: "*"
sort-order: 500
name: "puppet file content"
},
{
# Allow nodes to access all file_content. Note that access for the
# 'delete' method is forbidden by Puppet regardless of the
# configuration of this rule.
match-request: {
path: "/files/"
type: path
method: [get, post]
}
allow: "*"
sort-order: 500
name: "puppets file content"
},
{
# Allow nodes to retrieve only their own node definition
match-request: {
path: "^/puppet/v3/node/([^/]+)$"
type: regex
method: get
}
allow: "$1"
sort-order: 500
name: "puppetlabs node"
},
{
# Allow nodes to store only their own reports
match-request: {
path: "^/puppet/v3/report/([^/]+)$"
type: regex
method: put
}
allow: "$1"
sort-order: 500
name: "puppetlabs report"
},
{
# Allow nodes to update their own facts
match-request: {
path: "^/puppet/v3/facts/([^/]+)$"
type: regex
method: put
}
allow: "$1"
sort-order: 500
name: "puppetlabs facts"
},
{
match-request: {
path: "/puppet/v3/status"
type: path
method: get
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs status"
},
{
match-request: {
path: "/puppet/v3/static_file_content"
type: path
method: get
}
allow: "*"
sort-order: 500
name: "puppetlabs static file content"
},
{
match-request: {
path: "/puppet/v3/tasks"
type: path
}
allow: "*"
sort-order: 500
name: "puppet tasks information"
},
{
# Allow all users access to the experimental endpoint
# which currently only provides a dashboard web ui.
match-request: {
path: "/puppet/experimental"
type: path
}
allow-unauthenticated: true
sort-order: 500
name: "puppetlabs experimental"
},
{
match-request: {
path: "/puppet/files"
type: path
}
allow: "*"
sort-order: 500
name: "puppet"
},
{
match-request: {
path: "/puppet/file_metadata"
type: path
}
allow: "*"
sort-order: 500
name: "puppet_metadata"
}
]
}
If anything is needed to help troubleshoot let me know and I will be happy to post.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/760b932c-47e0-43aa-9e78-318646baa57b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/4F69F537-AC9F-4BA5-A954-567473C142BD%40gmail.com.