issuse with Puppet Not authorized

[吕哲]

environment:

[root@client1 puppet]# more /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4

::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.80.28   master.mylab.com  master

192.168.80.27   db.mylab.com db

192.168.80.29   client1.mylab.com  client1

auth.conf & fileserver.conf on master

[root@master puppet]# cat auth.conf 

path ~ ^/puppet/v3/catalog/([^/]+)$

method find

auth yes

allow $1

path ~ ^/puppet/v3/node/([^/]+)$

method find

auth yes

allow $1

path /puppet-ca/v1/certificate_revocation_list/ca

method find

auth yes

allow *

path ~ ^/puppet/v3/report/([^/]+)$

method save

auth yes

allow $1

path /puppet/v3/file

auth yes

allow *

path /puppet-ca/v1/certificate/ca

method find

auth any

allow *

path /puppet-ca/v1/certificate/

method find

auth any

allow *

path /puppet-ca/v1/certificate_request

method find, save

auth any

allow *

path /puppet/v3/environments

method find

auth yes

allow *

path /puppet/v3/environment

method find

auth yes

allow pe-internal-orchestrator

path /puppet/v3/status

method find

auth any

allow *

path /puppet/v3/facts

method find, search

auth any

allow pe-internal-dashboard

path /puppet/v3/resource_type

method find, search

auth yes

allow pe-internal-dashboard, pe-internal-classifier, pe-internal-orchestrator

path /

auth any

path /file_metadata/files

auth any

allow *

[root@master puppet]# cat fileserver.conf

[pe_packages]

path /opt/puppetlabs/server/data/packages/public

allow *

[pe_modules]

path /opt/puppetlabs/server/share/installer/modules

allow *

[smb_config]

path /usr/local/samba/etc

allow *

site.pp

pwd

/etc/puppetlabs/puppet/production/manifests

[root@master manifests]# more site.pp

$puppetserver = 'master.mylab.com'

node 'master.mylab.com'{

  include  motd

}

node 'client1.mylab.com'{

  include  cr_file,rpcbind_nfs_start,start_smb

}

init.pp

[root@master manifests]# pwd

/etc/puppetlabs/puppet/modules/start_smb/manifests

[root@master manifests]# more init.pp

class start_smb{

file {  

   "/usr/local/samba/etc/smb.conf":  

   source => "puppet://$puppetserver/files/smb.conf",  

   group => root,  

   owner => root,  

   mode => '0644'

}   

exec {  

      "nmb start":  

       path => ["/usr/bin", "/usr/sbin", "/bin", "/sbin","/usr/local/samba/sbin","/usr/local/samba/bin"],  

       command  => "/usr/local/samba/sbin/nmbd -D",  

       subscribe => File["/usr/local/samba/etc/smb.conf"],  

       refreshonly => true  

     }  

exec {  

      "smb start":  

       path => ["/usr/bin", "/usr/sbin", "/bin", "/sbin","/usr/local/samba/sbin","/usr/local/samba/bin"],  

       command  => "/usr/local/samba/sbin/smbd -D",  

       subscribe => File["/usr/local/samba/etc/smb.conf"],  

       refreshonly => true  

     }  

}

files directory

[root@master puppet]# ls -l files

total 8

-rwxrwxrwx 1 pe-puppet pe-puppet 7934 Jul 20 02:12 smb.conf

[root@master puppet]# ls -ld files

drwxr-xr-x 2 pe-puppet pe-puppet 4096 Jul 20 02:12 files

the error was indicate when the client sync with master

2016-07-20 03:08:10,638 INFO  [qtp2111722343-62] [puppetserver] Puppet 'store_report' command for client1.mylab.com submitted to PuppetDB with UUID abe54050-128d-447f-9742-def31e6a77a2

2016-07-20 03:08:11,332 INFO  [qtp2111722343-65] [puppetserver] Puppet Caching node for client1.mylab.com

2016-07-20 03:08:12,055 INFO  [qtp2111722343-63] [puppetserver] Puppet 'replace_facts' command for client1.mylab.com submitted to PuppetDB with UUID e03abc15-4d1b-4a43-b9c8-43452d09a06f

2016-07-20 03:08:12,240 INFO  [qtp2111722343-63] [puppetserver] Puppet Caching node for client1.mylab.com

2016-07-20 03:08:13,546 INFO  [qtp2111722343-63] [puppetserver] Puppet Compiled catalog for client1.mylab.com in environment production in 1.28 seconds

2016-07-20 03:08:13,546 INFO  [qtp2111722343-63] [puppetserver] Puppet Caching catalog for client1.mylab.com

2016-07-20 03:08:13,737 INFO  [qtp2111722343-63] [puppetserver] Puppet 'replace_catalog' command for client1.mylab.com submitted to PuppetDB with UUID 893942c0-b32b-4864-9231-b00f0ce5fb34

2016-07-20 03:08:15,838 ERROR [qtp2111722343-62] [puppetserver] Puppet Not authorized to call find on /file_metadata/files/smb.conf with {:rest=>"files/smb.conf", :links=>"manage", :checksum_type=>"md5", :source_permissions=>"ignore"}

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:308:in `check_authorization'

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:324:in `prepare'

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:184:in `find'

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/api/indirected_routes.rb:132:in `do_find'

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/api/indirected_routes.rb:48:in `call'

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:65:in `override'

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:240:in `override'

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/api/indirected_routes.rb:47:in `call'

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/route.rb:82:in `process'

org/jruby/RubyArray.java:1613:in `each'

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/route.rb:81:in `process'

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/route.rb:87:in `process'

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/route.rb:87:in `process'

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:60:in `process'

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler/around_profiler.rb:58:in `profile'

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler.rb:51:in `profile'

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:58:in `process'

file:/opt/puppetlabs/server/apps/puppetserver/puppet-server-release.jar!/puppetserver-lib/puppet/server/master.rb:42:in `handleRequest'

Puppet$$Server$$Master_76685231.gen:13:in `handleRequest'

request_handler_core.clj:281:in `invoke'

jruby_request.clj:47:in `invoke'

jruby_request.clj:29:in `invoke'

request_handler_service.clj:38:in `handle_request'

request_handler.clj:3:in `invoke'

request_handler.clj:3:in `invoke'

core.clj:2493:in `invoke'

ring_middleware.clj:281:in `invoke'

core.clj:249:in `invoke'

core.clj:294:in `invoke'

core.clj:128:in `invoke'

core.clj:134:in `invoke'

ringutils.clj:86:in `invoke'

master_core.clj:416:in `invoke'

ring.clj:21:in `invoke'

ring.clj:12:in `invoke'

comidi.clj:249:in `invoke'

http.clj:152:in `invoke'

http.clj:152:in `invoke'

http.clj:148:in `invoke'

comidi.clj:336:in `invoke'

jetty9_core.clj:424:in `invoke'

normalized_uri_helpers.clj:80:in `invoke'