Could not evaluate: Could not retrieve file metadata
2,402 views
Skip to first unread message
Alex Wacker
Sep 5, 2014, 4:39:13 PM9/5/14
to puppet...@googlegroups.com
Hello,
I am currently having the following problem and have not been able to track down the cause in all my searches online. I have a script file located in a module I have written that the client appears to be unable to get.
auth.conf file contents
fileserver.conf contents
The install is pretty much a default open source install with almost nothing changed. Would appreciate any help anyone could provide.
I am currently having the following problem and have not been able to track down the cause in all my searches online. I have a script file located in a module I have written that the client appears to be unable to get.
Error: /Stage[main]/modulename/File[remove_script]: Could not evaluate: Could not retrieve file metadata for puppet:///modulename/scripts/remove_script.sh: Error 400 on SERVER: Not authorized to call find on /file_metadata/modulename/scripts/remove_script.sh with {:source_permissions=>"use", :links=>"manage"}
Wrapped exception:
Error 400 on SERVER: Not authorized to call find on /file_metadata/modulename/scripts/remove_script.sh with {:source_permissions=>"use", :links=>"manage"}auth.conf file contents
# This is the default auth.conf file, which implements the default rules
# used by the puppet master. (That is, the rules below will still apply
# even if this file is deleted.)
#
# The ACLs are evaluated in top-down order. More specific stanzas should
# be towards the top of the file and more general ones at the bottom;
# otherwise, the general rules may "steal" requests that should be
# governed by the specific rules.
#
# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete
# description of auth.conf's behavior.
#
# Supported syntax:
# Each stanza in auth.conf starts with a path to match, followed
# by optional modifiers, and finally, a series of allow or deny
# directives.
#
# Example Stanza
# ---------------------------------
# path /path/to/resource # simple prefix match
# # path ~ regex # alternately, regex match
# [environment envlist]
# [method methodlist]
# [auth[enthicated] {yes|no|on|off|any}]
# allow [host|backreference|*|regex]
# deny [host|backreference|*|regex]
# allow_ip [ip|cidr|ip_wildcard|*]
# deny_ip [ip|cidr|ip_wildcard|*]
#
# The path match can either be a simple prefix match or a regular
# expression. `path /file` would match both `/file_metadata` and
# `/file_content`. Regex matches allow the use of backreferences
# in the allow/deny directives.
#
# The regex syntax is the same as for Ruby regex, and captures backreferences
# for use in the `allow` and `deny` lines of that stanza
#
# Examples:
#
# path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`.
# allow * # Allow all authenticated nodes (since auth
# # defaults to `yes`).
#
# path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog (by
# allow $1 # certname), but not any other node's catalog.
#
# path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes to
# auth yes # access the "extra_files"
# allow /^(.+)\.example\.com$/ # mount point; note this must
# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule,
# # since it is more specific.
#
# environment:: restrict an ACL to a comma-separated list of environments
# method:: restrict an ACL to a comma-separated list of HTTP methods
# auth:: restrict an ACL to an authenticated or unauthenticated request
# the default when unspecified is to restrict the ACL to authenticated requests
# (ie exactly as if auth yes was present).
#
### Authenticated ACLs - these rules apply only when the client
### has a valid certificate and is thus authenticated
# allow nodes to retrieve their own catalog
path ~ ^/catalog/([^/]+)$
method find
allow $1
# allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1
# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *
# allow all nodes to store their own reports
path ~ ^/report/([^/]+)$
method save
allow $1
# Allow all nodes to access all file services; this is necessary for
# pluginsync, file serving from modules, and file serving from custom
# mount points (see fileserver.conf). Note that the `/file` prefix matches
# requests to both the file_metadata and file_content paths. See "Examples"
# above if you need more granular access control for custom mount points.
path /file
allow *
path ~ ^/file_(metadata|content)/files/
auth yes
allow *
### Unauthenticated ACLs, for clients without valid certificates; authenticated
### clients can also access these paths, though they rarely need to.
# allow access to the CA certificate; unauthenticated nodes need this
# in order to validate the puppet master's certificate
path /certificate/ca
auth any
method find
allow *
# allow nodes to retrieve the certificate they requested earlier
path /certificate/
auth any
method find
allow *
# allow nodes to request a new certificate
path /certificate_request
auth any
method find, save
allow *
path /v2.0/environments
method find
allow *
# deny everything else; this ACL is not strictly necessary, but
# illustrates the default policy.
path /
auth anyfileserver.conf contents
# fileserver.conf
# Puppet automatically serves PLUGINS and FILES FROM MODULES: anything in
# <module name>/files/<file name> is available to authenticated nodes at
# puppet:///modules/<module name>/<file name>. You do not need to edit this
# file to enable this.
# MOUNT POINTS
# If you need to serve files from a directory that is NOT in a module,
# you must create a static mount point in this file:
#
# [extra_files]
# path /etc/puppet/files
# allow *
#
# In the example above, anything in /etc/puppet/files/<file name> would be
# available to authenticated nodes at puppet:///extra_files/<file name>.
#
# Mount points may also use three placeholders as part of their path:
#
# %H - The node's certname.
# %h - The portion of the node's certname before the first dot. (Usually the
# node's short hostname.)
# %d - The portion of the node's certname after the first dot. (Usually the
# node's domain name.)
# PERMISSIONS
# Every static mount point should have an `allow *` line; setting more
# granular permissions in this file is deprecated. Instead, you can
# control file access in auth.conf by controlling the
# /file_metadata/<mount point> and /file_content/<mount point> paths:
#
# path ~ ^/file_(metadata|content)/extra_files/
# auth yes
# allow /^(.+)\.example\.com$/
# allow_ip 192.168.100.0/24
#
# If added to auth.conf BEFORE the "path /file" rule, the rule above
# will add stricter restrictions to the extra_files mount point.Enter code here...The install is pretty much a default open source install with almost nothing changed. Would appreciate any help anyone could provide.
Felix Frank
Sep 6, 2014, 12:42:39 PM9/6/14
to puppet...@googlegroups.com
On 09/05/2014 10:39 PM, Alex Wacker wrote:
> I am currently having the following problem and have not been able to
> track down the cause in all my searches online. I have a script file
> located in a module I have written that the client appears to be
> unable to get.
Hi,
> I am currently having the following problem and have not been able to
> track down the cause in all my searches online. I have a script file
> located in a module I have written that the client appears to be
> unable to get.
does the master perhaps not have permissions to read that file?
For debugging, it may be helpful to run a debug session master side. The
easiest way is to stop the master (or apache) and run as root
puppet master --no-daemonize --verbse --debug
If you cannot just stop your master, you can also run the same debug
master with an alternative port (--masterport option) but will also have
to specify an alternate PID file and possibly override other clashing
settings.
HTH,
Felix
Alex Wacker
Sep 6, 2014, 5:09:16 PM9/6/14
to puppet...@googlegroups.com
Here is the output on the master side when running in debug mode and attempting to do a puppet agent -t on the client
http://pastie.org/private/klrgqlxbxqw82cii6diq
http://pastie.org/private/klrgqlxbxqw82cii6diq
Alex Wacker
Sep 6, 2014, 5:13:44 PM9/6/14
to puppet...@googlegroups.com
Forgot to mention, in regards to permissions, Tried making everything 777 and owned by puppet but no change.
On Saturday, September 6, 2014 12:42:39 PM UTC-4, Felix.Frank wrote:
Yanis Guenane
Sep 7, 2014, 8:47:48 PM9/7/14
to puppet...@googlegroups.com
Hi Alex,
Not sure about the 'Not Authorized' error message, but the URI you're
using to retrieve the file seems wrong.
Based on Puppet official doc[1], the correct pattern is :
puppet:///modules/name_of_module/filename
But the one you're using is more like :
puppet:///name_of_module/path/to/filename
Note the missing leading modules/ part of the URI.
Hope it helps,
--
Yanis Guenane
Not sure about the 'Not Authorized' error message, but the URI you're
using to retrieve the file seems wrong.
Based on Puppet official doc[1], the correct pattern is :
puppet:///modules/name_of_module/filename
But the one you're using is more like :
puppet:///name_of_module/path/to/filename
Note the missing leading modules/ part of the URI.
Hope it helps,
--
Yanis Guenane
Reply all
Reply to author
Forward
0 new messages