Could not retrieve file metadata for puppet:///files/limits-conf: Error 500 on SERVER: Server Error: Not authorized to call find on /file

Chris Phillips

unread,

May 23, 2019, 4:13:38 PM5/23/19

to Puppet Users

I am using Puppet v5.5.13 and am receiving the following error. Any help would be appreciated.

Error: /Stage[main]/Profiles::Base/File[/etc/bashrc]: Could not evaluate: Could not retrieve file metadata for puppet:///files/etcbashrc: Error 500 on SERVER: Server Error: Not authorized to call find on /file_metadata/files/etcbashrc with {:rest=>"files/etcbashrc", :links=>"manage", :checksum_type=>"md5", :source_permissions=>"ignore"}

My auth.conf looks like:

authorization: {

version: 1

allow-header-cert-info: false

rules: [

{

# Allow file metadata

match-request: {

path: "^/file_(metadata|content)/files/"

type: regex

}

allow: "*"

sort-order: 400

},

{

# Allow any file access

match-request: {

path: "^/puppet/v3/file_(content|metadata)s?/files"

type: regex

method: [get, post]

}

allow: "*"

sort-order: 400

},

{

# Allow nodes to retrieve their own catalog

match-request: {

path: "^/puppet/v3/catalog/([^/]+)$"

type: regex

method: [get, post]

}

allow: ["$1"]

sort-order: 500

},

{

# Allow nodes to retrieve the certificate they requested earlier

match-request: {

path: "/puppet-ca/v1/certificate/"

type: path

method: get

}

allow-unauthenticated: true

sort-order: 500

},

{

# Allow all nodes to access the certificate revocation list

match-request: {

path: "/puppet-ca/v1/certificate_revocation_list/ca"

type: path

method: get

}

allow-unauthenticated: true

sort-order: 500

},

{

# Allow nodes to request a new certificate

match-request: {

path: "/puppet-ca/v1/certificate_request"

type: path

method: [get, put]

}

allow-unauthenticated: true

sort-order: 500

},

{

# Allow the CA CLI to access the certificate_status endpoint

match-request: {

path: "/puppet-ca/v1/certificate_status"

type: path

method: [get, put, delete]

}

allow: [

"localhost",

"example.com",

{

extensions: {

pp_cli_auth: "true"

}

]

sort-order: 500

},

{

# Allow the CA CLI to access the certificate_statuses endpoint

match-request: {

path: "/puppet-ca/v1/certificate_statuses"

type: path

method: get

}

allow: [

"localhost",

"example.com",

{

extensions: {

pp_cli_auth: "true"

}

]

sort-order: 500

},

{

# Allow unauthenticated access to the status service endpoint

match-request: {

path: "/status/v1/services"

type: path

method: get

}

allow-unauthenticated: true

sort-order: 500

},

{

match-request: {

path: "/status/v1/simple"

type: path

method: get

}

allow-unauthenticated: true

sort-order: 500

},

{

match-request: {

path: "/puppet-admin-api/v1/environment-cache"

type: path

method: delete

}

allow: [

"localhost",

"example.com",

]

sort-order: 200

},

{

match-request: {

path: "/puppet-admin-api/v1/jruby-pool"

type: path

method: delete

}

allow: [

"localhost",

"example.com",

]

sort-order: 200

},

{

match-request: {

path: "/puppet/v3/environments"

type: path

method: get

}

allow: "*"

sort-order: 500

},

{

match-request: {

path: "/puppet/v3/environment_classes"

type: path

method: get

}

allow: "*"

sort-order: 500

},

{

# Allow nodes to access all file_bucket_files. Note that access for

# the 'delete' method is forbidden by Puppet regardless of the

# configuration of this rule.

match-request: {

path: "/puppet/v3/file_bucket_file"

type: path

method: [get, head, post, put]

}

allow: "*"

sort-order: 500

},

{

# Allow nodes to access all file_content. Note that access for the

# 'delete' method is forbidden by Puppet regardless of the

# configuration of this rule.

match-request: {

path: "/puppet/v3/file_content"

type: path

method: [get, post]

}

allow: "*"

sort-order: 500

},

{

# Allow nodes to access all file_metadata. Note that access for the

# 'delete' method is forbidden by Puppet regardless of the

# configuration of this rule.

match-request: {

path: "/puppet/v3/file_metadata"

type: path

method: [get, post]

}

allow: "*"

sort-order: 500

},

{

# Allow nodes to access all file_content. Note that access for the

# 'delete' method is forbidden by Puppet regardless of the

# configuration of this rule.

match-request: {

path: "/puppet/v3/files/"

type: path

method: [get, post]

}

allow: "*"

sort-order: 500

},

{

# Allow nodes to access all file_content. Note that access for the

# 'delete' method is forbidden by Puppet regardless of the

# configuration of this rule.

match-request: {

path: "/files/"

type: path

method: [get, post]

}

allow: "*"

sort-order: 500

},

{

# Allow nodes to retrieve only their own node definition

match-request: {

path: "^/puppet/v3/node/([^/]+)$"

type: regex

method: get

}

allow: "$1"

sort-order: 500

},

{

# Allow nodes to store only their own reports

match-request: {

path: "^/puppet/v3/report/([^/]+)$"

type: regex

method: put

}

allow: "$1"

sort-order: 500

},

{

# Allow nodes to update their own facts

match-request: {

path: "^/puppet/v3/facts/([^/]+)$"

type: regex

method: put

}

allow: "$1"

sort-order: 500

},

{

match-request: {

path: "/puppet/v3/status"

type: path

method: get

}

allow-unauthenticated: true

sort-order: 500

},

{

match-request: {

path: "/puppet/v3/static_file_content"

type: path

method: get

}

allow: "*"

sort-order: 500

},

{

match-request: {

path: "/puppet/v3/tasks"

type: path

}

allow: "*"

sort-order: 500

},

{

# Allow all users access to the experimental endpoint

# which currently only provides a dashboard web ui.

match-request: {

path: "/puppet/experimental"

type: path

}

allow-unauthenticated: true

sort-order: 500

},

{

match-request: {

path: "/puppet/files"

type: path

}

allow: "*"

sort-order: 500

},

{

match-request: {

path: "/puppet/file_metadata"

type: path

}

allow: "*"

sort-order: 500

}

]

}

If anything is needed to help troubleshoot let me know and I will be happy to post.

Alessandro Franceschi

unread,

May 28, 2019, 8:03:51 AM5/28/19

to Puppet Users

In the file resource which manages /etc/bashrc you have probably a parameter like:
source => puppet:///files/etcbashrc

that should be something like:

source => puppet:///modules/$MODULENAME/etcbashrc

this implies that your source etcbashrc file is in a module called $MODULENAME in the files/etcbashrc location (note that you don't have to specify "files" in the source param.

For details:
https://puppet.com/docs/puppet/6.4/modules_fundamentals.html#files-in-modules

Chris Phillips

unread,

May 28, 2019, 11:48:32 AM5/28/19

to puppet...@googlegroups.com

I thought the same and have tried that to no avail. I believe its because we are storing the files outside of the standard modules directory ie /etc/puppetlabs/code where as we are using /etc/puppetlabs/example/code.

Thanks,

Chris

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/760b932c-47e0-43aa-9e78-318646baa57b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Justin Stoller

unread,

May 28, 2019, 12:18:49 PM5/28/19

to puppet...@googlegroups.com

That's not an error from Puppet Server's HTTP auth.conf, it's an error from Puppet's old auth.conf or its fileserver.conf. Note the "Not authorized to call *find* on ..." Puppet Server's auth handles HTTP verbs like GET, Puppet's indirector auth translates those to verbs like FIND or SEARCH.

From that endpoint I would assume you have a custom mountpoint called "files" with an incorrect allow statement. Is that correct?

See for details https://puppet.com/docs/puppet/6.4/file_serving.html

If that's true hopefully that page will help you correct the auth syntax, though my suggestion would be to follow Alessandro's advice and update your file structure to be able to put those files into a module and use the module syntax, or put them on an http server and use regular http endpoints, or, if you can use 6.x and need to secure the contents with a key, use a client side function.

HTH,

Justin

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/4F69F537-AC9F-4BA5-A954-567473C142BD%40gmail.com.

Reply all

Reply to author

Forward

Could not retrieve file metadata for puppet:///files/limits-conf: Error 500 on SERVER: Server Error: Not authorized to call find on /file_metadata/files/limits-conf

Chris Phillips

Alessandro Franceschi

Chris Phillips

Justin Stoller