Re: [Puppet Users] Puppet 3.0: Not authorized to call find on /file_metadata, more issues?
On Jan 3, 2013, at 2:02 PM, Forrie wrote: I see the ChangeLog in 3.0.2 and this bug is still not addressed? Is there a technical problem that is not yet resolved, or is this just a matter of priority and time. Forrie this is on the table for 3.1 which will have a Release Candidate build Real Soon Now -- you can track progress on these two bugs: https://projects.puppetlabs.com/issues/17448 https://projects.puppetlabs.com/issues/17449 Eric Sorenson - eric.soren...@puppetlabs.com #puppet irc: eric0 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet 3.0: Not authorized to call find on /file_metadata, more issues?
Jeff, Thanks for the reply. This is the first Puppet distribution that I've upgraded to that required a lot of manual changes. But that comes with the territory :-) What I think would be very useful is to not only include sample *.conf files, init scripts, and such, but also example usage of new features in common scenarios. For example, Eric S. referred to the config file https://github.com/puppetlabs/puppet/blob/master/conf/auth.conf which does state allow_ip in the top portion, but there's no usage example in the content. I sometimes find it easier to grok changes when I see contextual examples :-) That might be a bad example, as it's pretty simple -- but I think you get the gist of what I mean. Thanks again! Forrest -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/78NYNBHDZ94J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet 3.0: Not authorized to call find on /file_metadata, more issues?
The ChangeLog and the PR are not clear about this. In fact, the
documentation is vague and doesn't really mention allow_ip at all. This
should be updated and made more clear?
I will give this a try later on, on a test system, and see if that solves
the problem.
Thanks.
On Tuesday, October 2, 2012 1:30:34 AM UTC-4, Matthaus Litteken wrote:
Oh, sorry, you mention that you already found that changelog entry. I
misread that part.
On Mon, Oct 1, 2012 at 10:27 PM, Matthaus Owens
matt...@puppetlabs.comjavascript:
wrote:
In Puppet 3.x, allow directives are limited to hostnames, if you wish
to allow an ip address, the allow_ip directive should be used. This
was in response to CVE-2012-3408
(http://puppetlabs.com/security/cve/cve-2012-3408/).
On Mon, Oct 1, 2012 at 5:48 PM, Forrie for...@gmail.com javascript:
wrote:
I've seen mention of this error in several places, with different
causes.
So before I posted here, I attempted to resolve this on my own.
I corrected the change from puppet:///files to puppet:/// in my
manifests
*.pp files.
No changes were made to the auth.conf file, and I did note in the
ChangeLog
that:
Auth.conf differentiates between names and IPs – There’s a new
allow_ip
keyword in auth.conf if you want to permit IP addresses. (PR991)
But I see no mention of that on the docs page at
http://docs.puppetlabs.com/guides/rest_auth_conf.html.
Our auth.conf is simple, and basically has either allow $1 or allow
*
both which appear to still be valid in 3.0.
Here's an example, a simple example, an ntp.conf file:
class ntp-client {
file { /etc/ntp.conf:
owner = root,
group = root,
mode= 644,
source = puppet:///etc/ntp.conf,
require = [ Package[ntp] ],
notify = Service[ntpd],
}
package { ntp:
ensure = latest,
}
service { ntpd:
ensure = running,
hasrestart = true,
subscribe = File[/etc/ntp.conf],
}
} # ntp-client
The error I'm seeing in the puppet.log, on the client system:
Oct 1 20:02:28 test-fms puppet-agent[11062]: Starting Puppet client
version 2.7.17
Oct 1 20:02:31 test-fms puppet-agent[11062]:
(/Stage[main]/Ntp-client/File[/etc/ntp.conf]) Could not evaluate:
Error 400
on SERVER: Not authorized to call find on /file_metadata/etc/ntp.conf
Could
not retrieve file metadata for puppet:///etc/ntp.conf: Error 400 on
SERVER:
Not authorized to call find on /file_metadata/etc/ntp.conf at
/etc/puppet/manifests/classes/ntp-client.pp:10
The permissions from /etc/puppet/files are correct:
-rw-r--r--. 1 puppet puppet 446 Mar 31 2011 etc/ntp.conf
The client puppet.conf file doesn't have any custom references other
than
the basics.
[main]
server = ourpuppet.server.com
vardir = /var/lib/puppet
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
syslogfacility = local4
report = true
listen = true
I ran puppet master in verbose mode and got these diagnostics:
Starting Puppet master version 3.0.0
Info: access[^/catalog/([^/]+)$]: allowing 'method' find
Info: access[^/catalog/([^/]+)$]: allowing $1 access
Info: access[/certificate_revocation_list/ca]: allowing 'method' find
Info: access[/certificate_revocation_list/ca]: allowing * access
Info: access[/report]: allowing 'method' save
Info: access[/report]: allowing * access
Info: access[/file]: allowing * access
Info: access[/certificate/ca]: adding authentication no
Info: access[/certificate/ca]: allowing 'method' find
Info: access[/certificate/ca]: allowing * access
Info: access[/certificate/]: adding authentication no
Info: access[/certificate/]: allowing 'method' find
Info: access[/certificate/]: allowing * access
Info: access[/certificate_request]: adding authentication no
Info: access[/certificate_request]: allowing 'method' find
Info: access[/certificate_request]: allowing 'method' save
Info: access[/certificate_request]: allowing * access
Info: access[/]: adding authentication any
Info: Inserting default '~ ^/node/([^/]+)$' (auth true) ACL
Info: Inserting default '/status' (auth true) ACL
Warning: Host is missing hostname and/or domain: one-host.ourdomain.com
Compiled catalog for one-host.ourdomain.com in environment production
in
1.16 seconds
Info: mount[files]: allowing 10.101.0.0/24 access
Error: Error parsing fileserver configuration: wrong number of
arguments (3
for 1); using old configuration
Error: Not authorized to call find on /file_metadata/etc/ntp.conf
Error: Not authorized to call find on /file_metadata/etc/sudoers
Error: Not
Re: [Puppet Users] Puppet 3.0: Not authorized to call find on /file_metadata, more issues?
Check out the example auth.conf that comes with the distribution, it's
heavily commented and should point the way:
https://github.com/puppetlabs/puppet/blob/master/conf/auth.conf
On Tuesday, October 2, 2012 11:09:08 AM UTC-7, Forrie wrote:
The ChangeLog and the PR are not clear about this. In fact, the
documentation is vague and doesn't really mention allow_ip at all. This
should be updated and made more clear?
I will give this a try later on, on a test system, and see if that solves
the problem.
Thanks.
On Tuesday, October 2, 2012 1:30:34 AM UTC-4, Matthaus Litteken wrote:
Oh, sorry, you mention that you already found that changelog entry. I
misread that part.
On Mon, Oct 1, 2012 at 10:27 PM, Matthaus Owens matt...@puppetlabs.com
wrote:
In Puppet 3.x, allow directives are limited to hostnames, if you wish
to allow an ip address, the allow_ip directive should be used. This
was in response to CVE-2012-3408
(http://puppetlabs.com/security/cve/cve-2012-3408/).
On Mon, Oct 1, 2012 at 5:48 PM, Forrie for...@gmail.com wrote:
I've seen mention of this error in several places, with different
causes.
So before I posted here, I attempted to resolve this on my own.
I corrected the change from puppet:///files to puppet:/// in my
manifests
*.pp files.
No changes were made to the auth.conf file, and I did note in the
ChangeLog
that:
Auth.conf differentiates between names and IPs – There’s a new
allow_ip
keyword in auth.conf if you want to permit IP addresses. (PR991)
But I see no mention of that on the docs page at
http://docs.puppetlabs.com/guides/rest_auth_conf.html.
Our auth.conf is simple, and basically has either allow $1 or allow
*
both which appear to still be valid in 3.0.
Here's an example, a simple example, an ntp.conf file:
class ntp-client {
file { /etc/ntp.conf:
owner = root,
group = root,
mode= 644,
source = puppet:///etc/ntp.conf,
require = [ Package[ntp] ],
notify = Service[ntpd],
}
package { ntp:
ensure = latest,
}
service { ntpd:
ensure = running,
hasrestart = true,
subscribe = File[/etc/ntp.conf],
}
} # ntp-client
The error I'm seeing in the puppet.log, on the client system:
Oct 1 20:02:28 test-fms puppet-agent[11062]: Starting Puppet client
version 2.7.17
Oct 1 20:02:31 test-fms puppet-agent[11062]:
(/Stage[main]/Ntp-client/File[/etc/ntp.conf]) Could not evaluate:
Error 400
on SERVER: Not authorized to call find on /file_metadata/etc/ntp.conf
Could
not retrieve file metadata for puppet:///etc/ntp.conf: Error 400 on
SERVER:
Not authorized to call find on /file_metadata/etc/ntp.conf at
/etc/puppet/manifests/classes/ntp-client.pp:10
The permissions from /etc/puppet/files are correct:
-rw-r--r--. 1 puppet puppet 446 Mar 31 2011 etc/ntp.conf
The client puppet.conf file doesn't have any custom references other
than
the basics.
[main]
server = ourpuppet.server.com
vardir = /var/lib/puppet
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
syslogfacility = local4
report = true
listen = true
I ran puppet master in verbose mode and got these diagnostics:
Starting Puppet master version 3.0.0
Info: access[^/catalog/([^/]+)$]: allowing 'method' find
Info: access[^/catalog/([^/]+)$]: allowing $1 access
Info: access[/certificate_revocation_list/ca]: allowing 'method' find
Info: access[/certificate_revocation_list/ca]: allowing * access
Info: access[/report]: allowing 'method' save
Info: access[/report]: allowing * access
Info: access[/file]: allowing * access
Info: access[/certificate/ca]: adding authentication no
Info: access[/certificate/ca]: allowing 'method' find
Info: access[/certificate/ca]: allowing * access
Info: access[/certificate/]: adding authentication no
Info: access[/certificate/]: allowing 'method' find
Info: access[/certificate/]: allowing * access
Info: access[/certificate_request]: adding authentication no
Info: access[/certificate_request]: allowing 'method' find
Info: access[/certificate_request]: allowing 'method' save
Info: access[/certificate_request]: allowing * access
Info: access[/]: adding authentication any
Info: Inserting default '~ ^/node/([^/]+)$' (auth true) ACL
Info: Inserting default '/status' (auth true) ACL
Warning: Host is missing hostname and/or domain:
one-host.ourdomain.com
Compiled catalog for one-host.ourdomain.com in environment production
in
1.16 seconds
Info: mount[files]: allowing 10.101.0.0/24 access
Error: Error parsing fileserver
Re: [Puppet Users] Puppet 3.0: Not authorized to call find on /file_metadata, more issues?
On Tue, Oct 2, 2012 at 11:09 AM, Forrie for...@gmail.com wrote: The ChangeLog and the PR are not clear about this. In fact, the documentation is vague and doesn't really mention allow_ip at all. This should be updated and made more clear? Forrie, I agree this wasn't very clear. I too had a hard time finding the information until Matthaus pointed me in the right direction. We're currently working on updating the documentation at docs.puppetlabs.com to be much more clear about the breaking changes in Telly that we're aware of and we intend. I think this information is important because it can be hard to tell the difference between a breaking change we intended to be a breaking change and a breaking change in behavior that is actually a bug. The current list of change for the 3.0.0 release will always be available at the following URL: http://links.puppetlabs.com/telly_breaking_changes If you're still having trouble figuring out if a change in behavior is intentional or is a bug, and the information at the above URL isn't helpful, then please don't hesitate to ping me on IRC. I'll be hanging out in #puppet-dev all week and my #1 priority this week is working with the community on 3.0.0 related issues. My handle is jmccune. I hope this helps, -Jeff -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Puppet 3.0: Not authorized to call find on /file_metadata, more issues?
I've seen mention of this error in several places, with different causes.
So before I posted here, I attempted to resolve this on my own.
I corrected the change from puppet:///files to puppet:/// in my manifests
*.pp files.
No changes were made to the auth.conf file, and I did note in the ChangeLog
that:
Auth.conf differentiates between names and IPs – There’s a new allow_ip keyword
in auth.conf if you want to permit IP addresses. (PR991)
But I see no mention of that on the docs page
at http://docs.puppetlabs.com/guides/rest_auth_conf.html.
Our auth.conf is simple, and basically has either allow $1 or allow *
both which appear to still be valid in 3.0.
Here's an example, a simple example, an ntp.conf file:
class ntp-client {
file { /etc/ntp.conf:
owner = root,
group = root,
mode= 644,
source = puppet:///etc/ntp.conf,
require = [ Package[ntp] ],
notify = Service[ntpd],
}
package { ntp:
ensure = latest,
}
service { ntpd:
ensure = running,
hasrestart = true,
subscribe = File[/etc/ntp.conf],
}
} # ntp-client
The error I'm seeing in the puppet.log, on the client system:
Oct 1 20:02:28 test-fms puppet-agent[11062]: Starting Puppet client
version 2.7.17
Oct 1 20:02:31 test-fms puppet-agent[11062]:
(/Stage[main]/Ntp-client/File[/etc/ntp.conf]) Could not evaluate: Error 400
on SERVER: Not authorized to call find on /file_metadata/etc/ntp.conf Could
not retrieve file metadata for puppet:///etc/ntp.conf: Error 400 on SERVER:
Not authorized to call find on /file_metadata/etc/ntp.conf at
/etc/puppet/manifests/classes/ntp-client.pp:10
The permissions from /etc/puppet/files are correct:
-rw-r--r--. 1 puppet puppet 446 Mar 31 2011 etc/ntp.conf
The client puppet.conf file doesn't have any custom references other than
the basics.
[main]
server = ourpuppet.server.com
vardir = /var/lib/puppet
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
syslogfacility = local4
report = true
listen = true
I ran puppet master in verbose mode and got these diagnostics:
Starting Puppet master version 3.0.0
Info: access[^/catalog/([^/]+)$]: allowing 'method' find
Info: access[^/catalog/([^/]+)$]: allowing $1 access
Info: access[/certificate_revocation_list/ca]: allowing 'method' find
Info: access[/certificate_revocation_list/ca]: allowing * access
Info: access[/report]: allowing 'method' save
Info: access[/report]: allowing * access
Info: access[/file]: allowing * access
Info: access[/certificate/ca]: adding authentication no
Info: access[/certificate/ca]: allowing 'method' find
Info: access[/certificate/ca]: allowing * access
Info: access[/certificate/]: adding authentication no
Info: access[/certificate/]: allowing 'method' find
Info: access[/certificate/]: allowing * access
Info: access[/certificate_request]: adding authentication no
Info: access[/certificate_request]: allowing 'method' find
Info: access[/certificate_request]: allowing 'method' save
Info: access[/certificate_request]: allowing * access
Info: access[/]: adding authentication any
Info: Inserting default '~ ^/node/([^/]+)$' (auth true) ACL
Info: Inserting default '/status' (auth true) ACL
Warning: Host is missing hostname and/or domain: one-host.ourdomain.com
Compiled catalog for one-host.ourdomain.com in environment production in
1.16 seconds
Info: mount[files]: allowing 10.101.0.0/24 access
Error: Error parsing fileserver configuration: wrong number of arguments (3
for 1); using old configuration
Error: Not authorized to call find on /file_metadata/etc/ntp.conf
Error: Not authorized to call find on /file_metadata/etc/sudoers
Error: Not authorized to call find on
/file_metadata/files/etc/ssh/ssh_known_hosts
Error: Not authorized to call find on
/file_metadata/files/etc/ssh/sshd_config
Error: Not authorized to call find on
/file_metadata/etc/puppet/namespaceauth.conf
Error: Not authorized to call find on
/file_metadata/etc/puppet/puppet.conf.agent
Error: Not authorized to call find on /file_metadata/etc/puppet/auth.conf
Error: Not authorized to call find on /file_metadata/etc/resolv.conf.test
I reviewed the docs at http://docs.puppetlabs.com/guides/file_serving.html
and our config looks fine.
Reading through the issue at http://projects.puppetlabs.com/issues/16667,
I'm not clear what the fix actually is. But, our config has been
unaltered. We have unused modules in the /etc/puppet/modules directory,
where most of the little stuff has been in /etc/puppet/manifests,
referenced in site.pp by:
import classes/*
import nodes.pp
And it's worked thus far.
In the example above, with ntp-client, it's just a simple little
ntp-client.pp file that references a file that should be transfered,
nothing more. So I don't see how or why that wouldn't work
Re: [Puppet Users] Puppet 3.0: Not authorized to call find on /file_metadata, more issues?
In Puppet 3.x, allow directives are limited to hostnames, if you wish
to allow an ip address, the allow_ip directive should be used. This
was in response to CVE-2012-3408
(http://puppetlabs.com/security/cve/cve-2012-3408/).
On Mon, Oct 1, 2012 at 5:48 PM, Forrie for...@gmail.com wrote:
I've seen mention of this error in several places, with different causes.
So before I posted here, I attempted to resolve this on my own.
I corrected the change from puppet:///files to puppet:/// in my manifests
*.pp files.
No changes were made to the auth.conf file, and I did note in the ChangeLog
that:
Auth.conf differentiates between names and IPs – There’s a new allow_ip
keyword in auth.conf if you want to permit IP addresses. (PR991)
But I see no mention of that on the docs page at
http://docs.puppetlabs.com/guides/rest_auth_conf.html.
Our auth.conf is simple, and basically has either allow $1 or allow *
both which appear to still be valid in 3.0.
Here's an example, a simple example, an ntp.conf file:
class ntp-client {
file { /etc/ntp.conf:
owner = root,
group = root,
mode= 644,
source = puppet:///etc/ntp.conf,
require = [ Package[ntp] ],
notify = Service[ntpd],
}
package { ntp:
ensure = latest,
}
service { ntpd:
ensure = running,
hasrestart = true,
subscribe = File[/etc/ntp.conf],
}
} # ntp-client
The error I'm seeing in the puppet.log, on the client system:
Oct 1 20:02:28 test-fms puppet-agent[11062]: Starting Puppet client
version 2.7.17
Oct 1 20:02:31 test-fms puppet-agent[11062]:
(/Stage[main]/Ntp-client/File[/etc/ntp.conf]) Could not evaluate: Error 400
on SERVER: Not authorized to call find on /file_metadata/etc/ntp.conf Could
not retrieve file metadata for puppet:///etc/ntp.conf: Error 400 on SERVER:
Not authorized to call find on /file_metadata/etc/ntp.conf at
/etc/puppet/manifests/classes/ntp-client.pp:10
The permissions from /etc/puppet/files are correct:
-rw-r--r--. 1 puppet puppet 446 Mar 31 2011 etc/ntp.conf
The client puppet.conf file doesn't have any custom references other than
the basics.
[main]
server = ourpuppet.server.com
vardir = /var/lib/puppet
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
syslogfacility = local4
report = true
listen = true
I ran puppet master in verbose mode and got these diagnostics:
Starting Puppet master version 3.0.0
Info: access[^/catalog/([^/]+)$]: allowing 'method' find
Info: access[^/catalog/([^/]+)$]: allowing $1 access
Info: access[/certificate_revocation_list/ca]: allowing 'method' find
Info: access[/certificate_revocation_list/ca]: allowing * access
Info: access[/report]: allowing 'method' save
Info: access[/report]: allowing * access
Info: access[/file]: allowing * access
Info: access[/certificate/ca]: adding authentication no
Info: access[/certificate/ca]: allowing 'method' find
Info: access[/certificate/ca]: allowing * access
Info: access[/certificate/]: adding authentication no
Info: access[/certificate/]: allowing 'method' find
Info: access[/certificate/]: allowing * access
Info: access[/certificate_request]: adding authentication no
Info: access[/certificate_request]: allowing 'method' find
Info: access[/certificate_request]: allowing 'method' save
Info: access[/certificate_request]: allowing * access
Info: access[/]: adding authentication any
Info: Inserting default '~ ^/node/([^/]+)$' (auth true) ACL
Info: Inserting default '/status' (auth true) ACL
Warning: Host is missing hostname and/or domain: one-host.ourdomain.com
Compiled catalog for one-host.ourdomain.com in environment production in
1.16 seconds
Info: mount[files]: allowing 10.101.0.0/24 access
Error: Error parsing fileserver configuration: wrong number of arguments (3
for 1); using old configuration
Error: Not authorized to call find on /file_metadata/etc/ntp.conf
Error: Not authorized to call find on /file_metadata/etc/sudoers
Error: Not authorized to call find on
/file_metadata/files/etc/ssh/ssh_known_hosts
Error: Not authorized to call find on
/file_metadata/files/etc/ssh/sshd_config
Error: Not authorized to call find on
/file_metadata/etc/puppet/namespaceauth.conf
Error: Not authorized to call find on
/file_metadata/etc/puppet/puppet.conf.agent
Error: Not authorized to call find on /file_metadata/etc/puppet/auth.conf
Error: Not authorized to call find on /file_metadata/etc/resolv.conf.test
I reviewed the docs at http://docs.puppetlabs.com/guides/file_serving.html
and our config looks fine.
Reading through the issue at http://projects.puppetlabs.com/issues/16667,
I'm not clear what the fix actually is. But, our config has been unaltered.
We have unused modules in the /etc/puppet/modules directory, where most of
the little
Re: [Puppet Users] Puppet 3.0: Not authorized to call find on /file_metadata, more issues?
Oh, sorry, you mention that you already found that changelog entry. I
misread that part.
On Mon, Oct 1, 2012 at 10:27 PM, Matthaus Owens matth...@puppetlabs.com wrote:
In Puppet 3.x, allow directives are limited to hostnames, if you wish
to allow an ip address, the allow_ip directive should be used. This
was in response to CVE-2012-3408
(http://puppetlabs.com/security/cve/cve-2012-3408/).
On Mon, Oct 1, 2012 at 5:48 PM, Forrie for...@gmail.com wrote:
I've seen mention of this error in several places, with different causes.
So before I posted here, I attempted to resolve this on my own.
I corrected the change from puppet:///files to puppet:/// in my manifests
*.pp files.
No changes were made to the auth.conf file, and I did note in the ChangeLog
that:
Auth.conf differentiates between names and IPs – There’s a new allow_ip
keyword in auth.conf if you want to permit IP addresses. (PR991)
But I see no mention of that on the docs page at
http://docs.puppetlabs.com/guides/rest_auth_conf.html.
Our auth.conf is simple, and basically has either allow $1 or allow *
both which appear to still be valid in 3.0.
Here's an example, a simple example, an ntp.conf file:
class ntp-client {
file { /etc/ntp.conf:
owner = root,
group = root,
mode= 644,
source = puppet:///etc/ntp.conf,
require = [ Package[ntp] ],
notify = Service[ntpd],
}
package { ntp:
ensure = latest,
}
service { ntpd:
ensure = running,
hasrestart = true,
subscribe = File[/etc/ntp.conf],
}
} # ntp-client
The error I'm seeing in the puppet.log, on the client system:
Oct 1 20:02:28 test-fms puppet-agent[11062]: Starting Puppet client
version 2.7.17
Oct 1 20:02:31 test-fms puppet-agent[11062]:
(/Stage[main]/Ntp-client/File[/etc/ntp.conf]) Could not evaluate: Error 400
on SERVER: Not authorized to call find on /file_metadata/etc/ntp.conf Could
not retrieve file metadata for puppet:///etc/ntp.conf: Error 400 on SERVER:
Not authorized to call find on /file_metadata/etc/ntp.conf at
/etc/puppet/manifests/classes/ntp-client.pp:10
The permissions from /etc/puppet/files are correct:
-rw-r--r--. 1 puppet puppet 446 Mar 31 2011 etc/ntp.conf
The client puppet.conf file doesn't have any custom references other than
the basics.
[main]
server = ourpuppet.server.com
vardir = /var/lib/puppet
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
syslogfacility = local4
report = true
listen = true
I ran puppet master in verbose mode and got these diagnostics:
Starting Puppet master version 3.0.0
Info: access[^/catalog/([^/]+)$]: allowing 'method' find
Info: access[^/catalog/([^/]+)$]: allowing $1 access
Info: access[/certificate_revocation_list/ca]: allowing 'method' find
Info: access[/certificate_revocation_list/ca]: allowing * access
Info: access[/report]: allowing 'method' save
Info: access[/report]: allowing * access
Info: access[/file]: allowing * access
Info: access[/certificate/ca]: adding authentication no
Info: access[/certificate/ca]: allowing 'method' find
Info: access[/certificate/ca]: allowing * access
Info: access[/certificate/]: adding authentication no
Info: access[/certificate/]: allowing 'method' find
Info: access[/certificate/]: allowing * access
Info: access[/certificate_request]: adding authentication no
Info: access[/certificate_request]: allowing 'method' find
Info: access[/certificate_request]: allowing 'method' save
Info: access[/certificate_request]: allowing * access
Info: access[/]: adding authentication any
Info: Inserting default '~ ^/node/([^/]+)$' (auth true) ACL
Info: Inserting default '/status' (auth true) ACL
Warning: Host is missing hostname and/or domain: one-host.ourdomain.com
Compiled catalog for one-host.ourdomain.com in environment production in
1.16 seconds
Info: mount[files]: allowing 10.101.0.0/24 access
Error: Error parsing fileserver configuration: wrong number of arguments (3
for 1); using old configuration
Error: Not authorized to call find on /file_metadata/etc/ntp.conf
Error: Not authorized to call find on /file_metadata/etc/sudoers
Error: Not authorized to call find on
/file_metadata/files/etc/ssh/ssh_known_hosts
Error: Not authorized to call find on
/file_metadata/files/etc/ssh/sshd_config
Error: Not authorized to call find on
/file_metadata/etc/puppet/namespaceauth.conf
Error: Not authorized to call find on
/file_metadata/etc/puppet/puppet.conf.agent
Error: Not authorized to call find on /file_metadata/etc/puppet/auth.conf
Error: Not authorized to call find on /file_metadata/etc/resolv.conf.test
I reviewed the docs at http://docs.puppetlabs.com/guides/file_serving.html
and our config looks fine.
Reading through the issue at
