Issue #13976 has been updated by Daniel Pittman. Status changed from Unreviewed to Needs More Information
Puppet doesn't do any additional checks around ownership to read files - I think, instead, that your problem stems from the fact that the owner / group are in the supplementary group list for Puppet. How are you running your master? If it is under Passenger or something, try it again with the webrick based daemon and see if that solves your problem. I suspect it will, because when we change user on our own we do init the supplemental group list, but Passenger, etc, don't. ---------------------------------------- Bug #13976: PuppetMaster is unable to read manifest when manifest is not directly owned by user Puppet or from primary group Puppet https://projects.puppetlabs.com/issues/13976#change-61117 Author: Egon Kastelijn Status: Needs More Information Priority: Normal Assignee: Category: Target version: Affected Puppet version: Keywords: manifest rights user group Branch: When a manifest (or template) is owned by the userid 'puppet' or the groupid 'puppet' then the PuppetMaster proces can read the manifest just fine. But when the manifest has a userid, and a groupid that is not 'puppet' then the PuppetMaster process is unable to read the manifest. When I change my shell to the user 'puppet' (sudo -u puppet -i), under which the PuppetMaster process is running, then I can read the file nicely. This means that the OS and filesystem don't block the read-access to the file for the user 'puppet'. I think the PuppetMaster does some kind of extra check to see if it can read the manifest-file, but this check is not complete or wrong. I think it checks if the file is owned by the user 'puppet' and/or is readable by the group 'puppet', but it fails to check if the user 'puppet' is in a secondary group that also gives it read access to the manifest-file. $ ls -al website.rb -rw-rw---- 1 uav377 wsadmin 43598 Apr 12 17:44 website.rb $ $ getent group wsadmin wsadmin:x:9000:puppet $ A work-around, is to make the files world-readable, but this is not desirable as a permanent solution. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
