Issue #16667 has been updated by Jeff McCune.
# Work around
The current work around to this issue is to remove the rules from
`fileserver.conf` and instead implement authorization in `auth.conf`.
For example, if you had the following fileserver.conf in Puppet 2.7:
<pre>
[files]
path /etc/puppet/files
allow 10.101.0.0/24
allow 10.103.0.0/24
</pre>
Then you can work around this issue in Puppet 3.0.0 and 3.0.1 with the
following fileserver.conf and auth.conf respectively:
<pre>
[files]
path /etc/puppet/files
# Access control is managed in auth.conf now
allow *
</pre>
<pre>
# This is an example auth.conf file, which implements the
# defaults used by the puppet master.
#
# The ACLs are evaluated in top-down order. More general
# stanzas should be towards the bottom of the file and more
# specific ones at the top, otherwise the general rules
# take precedence and later rules will not be evaluated.
#
# Supported syntax:
# Each stanza in auth.conf starts with a path to mach, followed
# by optional modifiers, and finally, a series of allow or deny
# directives.
#
# Example Stanza
# ---------------------------------
# path /path/to/resource # simple prefix match
# # path ~ regex # alternately, regex match
# [environment envlist]
# [method methodlist]
# [auth[enthicated] {yes|no|on|off|any}]
# allow [host|backreference|*]
# deny [host|backreference|*]
# allow_ip [ip|cidr|ip_wildcard|*]
# deny_ip [ip|cidr|ip_wildcard|*]
#
# The path match can either be a simple prefix match or a regular
# expression. `path /file` would match both `/file_metadata` and
# `/file_content`. Regex matches allow the use of backreferences
# in the allow/deny directives.
#
# The regex syntax is the same as for Ruby regex, and captures backreferences
# for use in the `allow` and `deny` lines of that stanza
#
# Examples:
# path ~ ^/path/to/resource # equivalent to `path /path/to/resource`
# allow *
#
# path ~ ^/catalog/([^/]+)$ # permit access only for the
# allow $1 # node whose cert matches the path
#
# environment:: restrict an ACL to a comma-separated list of environments
# method:: restrict an ACL to a comma-separated list of HTTP methods
# auth:: restrict an ACL to an authenticated or unauthenticated request
# the default when unspecified is to restrict the ACL to authenticated requests
# (ie exactly as if auth yes was present).
#
### Authenticated paths - these apply only when the client
### has a valid certificate and is thus authenticated
# allow nodes to retrieve their own catalog
path ~ ^/catalog/([^/]+)$
method find
allow $1
# allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1
# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *
# allow all nodes to store their reports
path /report
method save
allow *
# JJM Lock down the "files" fileserver mount exported from filserver.conf
# Remember, this file is parsed top to bottom and the first match "wins" so
# more specific rules need to be above more generalized rules.
# The following two rules mean the agent must posses a signed certificate and
# must be connecting from the 192.168.0.0/16 subnet.
path /file_metadata/files
auth yes
allow_ip 10.101.0.0/24
allow_ip 10.103.0.0/24
path /file_content/files
auth yes
allow_ip 10.101.0.0/24
allow_ip 10.103.0.0/24
# unconditionally allow access to all file services
# which means in practice that fileserver.conf will
# still be used
path /file
allow *
### Unauthenticated ACL, for clients for which the current master doesn't
### have a valid certificate; we allow authenticated users, too, because
### there isn't a great harm in letting that request through.
# allow access to the master CA
path /certificate/ca
auth any
method find
allow *
path /certificate/
auth any
method find
allow *
path /certificate_request
auth any
method find, save
allow *
# this one is not stricly necessary, but it has the merit
# of showing the default policy, which is deny everything else
path /
auth any
</pre>
# References
* [default auth.conf in
3.0.x](https://github.com/puppetlabs/puppet/blob/3.0.x/conf/auth.conf)
* [puppet-users discussion - Puppet 3.0: Not authorized to call find on
/file_metadata, more
issues](https://groups.google.com/d/topic/puppet-users/eQpr0-zd3dM/discussion)
* [REST Access Control](http://docs.puppetlabs.com/guides/rest_auth_conf.html)
----------------------------------------
Bug #16667: Misleading error message "Not authorized to call find" after
upgrading from 2.7 to 3.0
https://projects.puppetlabs.com/issues/16667#change-74837
Author: Jeff McCune
Status: Investigating
Priority: Normal
Assignee:
Category: error reporting
Target version: 3.0.x
Affected Puppet version: 3.0.0
Keywords:
Branch:
# Overview
When we took out the deprecation warning for the modules path element in source
URI's of file resources, we didn't replace it with a friendly error message.
# Expected behavior
In 2.7 the following manifest worked, but with this friendly message:
<pre>
# site.pp
node default {
notify { "Hello World": }
file { "/tmp/foo.txt":
source => [
"puppet:///filetest/sshd_config.${::fqdn}",
"puppet:///filetest/sshd_config",
],
}
}
</pre>
<pre>
notice: DEPRECATION NOTICE: Files found in modules without specifying 'modules'
in file path
will be deprecated in the next major release. Please fix module 'filetest'
when no 0.24.x
clients are present
</pre>
The behavior I expect is that a similarly friendly and informative error
message is displayed in 3.0.
# Actual Behavior
In 3.0 this is the user's experience:
<pre>
$ puppet master --verbose --no-daemonize
Starting Puppet master version 3.0.0Info: Inserting default '~
^/catalog/([^/]+)$' (auth true) ACL
Info: Inserting default '~ ^/node/([^/]+)$' (auth true) ACLInfo: Inserting
default '/file' (auth ) ACL
Info: Inserting default '/certificate_revocation_list/ca' (auth true) ACLInfo:
Inserting default '/report' (auth true) ACL
Info: Inserting default '/certificate/ca' (auth any) ACL
Info: Inserting default '/certificate/' (auth any) ACL
Info: Inserting default '/certificate_request' (auth any) ACLInfo: Inserting
default '/status' (auth true) ACL
Compiled catalog for mccune.agent in environment production in 0.03 seconds
Error: Not authorized to call find on
/file_metadata/filetest/sshd_config.mccune.puppetlabs.lan
</pre>
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
