Re: [Puppet Users] Puppet 3.0: Not authorized to call find on /file_metadata, more issues?
On Jan 3, 2013, at 2:02 PM, Forrie wrote: I see the ChangeLog in 3.0.2 and this bug is still not addressed? Is there a technical problem that is not yet resolved, or is this just a matter of priority and time. Forrie this is on the table for 3.1 which will have a Release Candidate build Real Soon Now -- you can track progress on these two bugs: https://projects.puppetlabs.com/issues/17448 https://projects.puppetlabs.com/issues/17449 Eric Sorenson - eric.soren...@puppetlabs.com #puppet irc: eric0 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet 3.0: Not authorized to call find on /file_metadata, more issues?
Jeff, Thanks for the reply. This is the first Puppet distribution that I've upgraded to that required a lot of manual changes. But that comes with the territory :-) What I think would be very useful is to not only include sample *.conf files, init scripts, and such, but also example usage of new features in common scenarios. For example, Eric S. referred to the config file https://github.com/puppetlabs/puppet/blob/master/conf/auth.conf which does state allow_ip in the top portion, but there's no usage example in the content. I sometimes find it easier to grok changes when I see contextual examples :-) That might be a bad example, as it's pretty simple -- but I think you get the gist of what I mean. Thanks again! Forrest -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/78NYNBHDZ94J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet 3.0: Not authorized to call find on /file_metadata, more issues?
The ChangeLog and the PR are not clear about this. In fact, the documentation is vague and doesn't really mention allow_ip at all. This should be updated and made more clear? I will give this a try later on, on a test system, and see if that solves the problem. Thanks. On Tuesday, October 2, 2012 1:30:34 AM UTC-4, Matthaus Litteken wrote: Oh, sorry, you mention that you already found that changelog entry. I misread that part. On Mon, Oct 1, 2012 at 10:27 PM, Matthaus Owens matt...@puppetlabs.comjavascript: wrote: In Puppet 3.x, allow directives are limited to hostnames, if you wish to allow an ip address, the allow_ip directive should be used. This was in response to CVE-2012-3408 (http://puppetlabs.com/security/cve/cve-2012-3408/). On Mon, Oct 1, 2012 at 5:48 PM, Forrie for...@gmail.com javascript: wrote: I've seen mention of this error in several places, with different causes. So before I posted here, I attempted to resolve this on my own. I corrected the change from puppet:///files to puppet:/// in my manifests *.pp files. No changes were made to the auth.conf file, and I did note in the ChangeLog that: Auth.conf differentiates between names and IPs – There’s a new allow_ip keyword in auth.conf if you want to permit IP addresses. (PR991) But I see no mention of that on the docs page at http://docs.puppetlabs.com/guides/rest_auth_conf.html. Our auth.conf is simple, and basically has either allow $1 or allow * both which appear to still be valid in 3.0. Here's an example, a simple example, an ntp.conf file: class ntp-client { file { /etc/ntp.conf: owner = root, group = root, mode= 644, source = puppet:///etc/ntp.conf, require = [ Package[ntp] ], notify = Service[ntpd], } package { ntp: ensure = latest, } service { ntpd: ensure = running, hasrestart = true, subscribe = File[/etc/ntp.conf], } } # ntp-client The error I'm seeing in the puppet.log, on the client system: Oct 1 20:02:28 test-fms puppet-agent[11062]: Starting Puppet client version 2.7.17 Oct 1 20:02:31 test-fms puppet-agent[11062]: (/Stage[main]/Ntp-client/File[/etc/ntp.conf]) Could not evaluate: Error 400 on SERVER: Not authorized to call find on /file_metadata/etc/ntp.conf Could not retrieve file metadata for puppet:///etc/ntp.conf: Error 400 on SERVER: Not authorized to call find on /file_metadata/etc/ntp.conf at /etc/puppet/manifests/classes/ntp-client.pp:10 The permissions from /etc/puppet/files are correct: -rw-r--r--. 1 puppet puppet 446 Mar 31 2011 etc/ntp.conf The client puppet.conf file doesn't have any custom references other than the basics. [main] server = ourpuppet.server.com vardir = /var/lib/puppet logdir = /var/log/puppet rundir = /var/run/puppet ssldir = $vardir/ssl [agent] classfile = $vardir/classes.txt localconfig = $vardir/localconfig syslogfacility = local4 report = true listen = true I ran puppet master in verbose mode and got these diagnostics: Starting Puppet master version 3.0.0 Info: access[^/catalog/([^/]+)$]: allowing 'method' find Info: access[^/catalog/([^/]+)$]: allowing $1 access Info: access[/certificate_revocation_list/ca]: allowing 'method' find Info: access[/certificate_revocation_list/ca]: allowing * access Info: access[/report]: allowing 'method' save Info: access[/report]: allowing * access Info: access[/file]: allowing * access Info: access[/certificate/ca]: adding authentication no Info: access[/certificate/ca]: allowing 'method' find Info: access[/certificate/ca]: allowing * access Info: access[/certificate/]: adding authentication no Info: access[/certificate/]: allowing 'method' find Info: access[/certificate/]: allowing * access Info: access[/certificate_request]: adding authentication no Info: access[/certificate_request]: allowing 'method' find Info: access[/certificate_request]: allowing 'method' save Info: access[/certificate_request]: allowing * access Info: access[/]: adding authentication any Info: Inserting default '~ ^/node/([^/]+)$' (auth true) ACL Info: Inserting default '/status' (auth true) ACL Warning: Host is missing hostname and/or domain: one-host.ourdomain.com Compiled catalog for one-host.ourdomain.com in environment production in 1.16 seconds Info: mount[files]: allowing 10.101.0.0/24 access Error: Error parsing fileserver configuration: wrong number of arguments (3 for 1); using old configuration Error: Not authorized to call find on /file_metadata/etc/ntp.conf Error: Not authorized to call find on /file_metadata/etc/sudoers Error: Not
Re: [Puppet Users] Puppet 3.0: Not authorized to call find on /file_metadata, more issues?
Check out the example auth.conf that comes with the distribution, it's heavily commented and should point the way: https://github.com/puppetlabs/puppet/blob/master/conf/auth.conf On Tuesday, October 2, 2012 11:09:08 AM UTC-7, Forrie wrote: The ChangeLog and the PR are not clear about this. In fact, the documentation is vague and doesn't really mention allow_ip at all. This should be updated and made more clear? I will give this a try later on, on a test system, and see if that solves the problem. Thanks. On Tuesday, October 2, 2012 1:30:34 AM UTC-4, Matthaus Litteken wrote: Oh, sorry, you mention that you already found that changelog entry. I misread that part. On Mon, Oct 1, 2012 at 10:27 PM, Matthaus Owens matt...@puppetlabs.com wrote: In Puppet 3.x, allow directives are limited to hostnames, if you wish to allow an ip address, the allow_ip directive should be used. This was in response to CVE-2012-3408 (http://puppetlabs.com/security/cve/cve-2012-3408/). On Mon, Oct 1, 2012 at 5:48 PM, Forrie for...@gmail.com wrote: I've seen mention of this error in several places, with different causes. So before I posted here, I attempted to resolve this on my own. I corrected the change from puppet:///files to puppet:/// in my manifests *.pp files. No changes were made to the auth.conf file, and I did note in the ChangeLog that: Auth.conf differentiates between names and IPs – There’s a new allow_ip keyword in auth.conf if you want to permit IP addresses. (PR991) But I see no mention of that on the docs page at http://docs.puppetlabs.com/guides/rest_auth_conf.html. Our auth.conf is simple, and basically has either allow $1 or allow * both which appear to still be valid in 3.0. Here's an example, a simple example, an ntp.conf file: class ntp-client { file { /etc/ntp.conf: owner = root, group = root, mode= 644, source = puppet:///etc/ntp.conf, require = [ Package[ntp] ], notify = Service[ntpd], } package { ntp: ensure = latest, } service { ntpd: ensure = running, hasrestart = true, subscribe = File[/etc/ntp.conf], } } # ntp-client The error I'm seeing in the puppet.log, on the client system: Oct 1 20:02:28 test-fms puppet-agent[11062]: Starting Puppet client version 2.7.17 Oct 1 20:02:31 test-fms puppet-agent[11062]: (/Stage[main]/Ntp-client/File[/etc/ntp.conf]) Could not evaluate: Error 400 on SERVER: Not authorized to call find on /file_metadata/etc/ntp.conf Could not retrieve file metadata for puppet:///etc/ntp.conf: Error 400 on SERVER: Not authorized to call find on /file_metadata/etc/ntp.conf at /etc/puppet/manifests/classes/ntp-client.pp:10 The permissions from /etc/puppet/files are correct: -rw-r--r--. 1 puppet puppet 446 Mar 31 2011 etc/ntp.conf The client puppet.conf file doesn't have any custom references other than the basics. [main] server = ourpuppet.server.com vardir = /var/lib/puppet logdir = /var/log/puppet rundir = /var/run/puppet ssldir = $vardir/ssl [agent] classfile = $vardir/classes.txt localconfig = $vardir/localconfig syslogfacility = local4 report = true listen = true I ran puppet master in verbose mode and got these diagnostics: Starting Puppet master version 3.0.0 Info: access[^/catalog/([^/]+)$]: allowing 'method' find Info: access[^/catalog/([^/]+)$]: allowing $1 access Info: access[/certificate_revocation_list/ca]: allowing 'method' find Info: access[/certificate_revocation_list/ca]: allowing * access Info: access[/report]: allowing 'method' save Info: access[/report]: allowing * access Info: access[/file]: allowing * access Info: access[/certificate/ca]: adding authentication no Info: access[/certificate/ca]: allowing 'method' find Info: access[/certificate/ca]: allowing * access Info: access[/certificate/]: adding authentication no Info: access[/certificate/]: allowing 'method' find Info: access[/certificate/]: allowing * access Info: access[/certificate_request]: adding authentication no Info: access[/certificate_request]: allowing 'method' find Info: access[/certificate_request]: allowing 'method' save Info: access[/certificate_request]: allowing * access Info: access[/]: adding authentication any Info: Inserting default '~ ^/node/([^/]+)$' (auth true) ACL Info: Inserting default '/status' (auth true) ACL Warning: Host is missing hostname and/or domain: one-host.ourdomain.com Compiled catalog for one-host.ourdomain.com in environment production in 1.16 seconds Info: mount[files]: allowing 10.101.0.0/24 access Error: Error parsing fileserver
Re: [Puppet Users] Puppet 3.0: Not authorized to call find on /file_metadata, more issues?
On Tue, Oct 2, 2012 at 11:09 AM, Forrie for...@gmail.com wrote: The ChangeLog and the PR are not clear about this. In fact, the documentation is vague and doesn't really mention allow_ip at all. This should be updated and made more clear? Forrie, I agree this wasn't very clear. I too had a hard time finding the information until Matthaus pointed me in the right direction. We're currently working on updating the documentation at docs.puppetlabs.com to be much more clear about the breaking changes in Telly that we're aware of and we intend. I think this information is important because it can be hard to tell the difference between a breaking change we intended to be a breaking change and a breaking change in behavior that is actually a bug. The current list of change for the 3.0.0 release will always be available at the following URL: http://links.puppetlabs.com/telly_breaking_changes If you're still having trouble figuring out if a change in behavior is intentional or is a bug, and the information at the above URL isn't helpful, then please don't hesitate to ping me on IRC. I'll be hanging out in #puppet-dev all week and my #1 priority this week is working with the community on 3.0.0 related issues. My handle is jmccune. I hope this helps, -Jeff -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Puppet 3.0: Not authorized to call find on /file_metadata, more issues?
I've seen mention of this error in several places, with different causes. So before I posted here, I attempted to resolve this on my own. I corrected the change from puppet:///files to puppet:/// in my manifests *.pp files. No changes were made to the auth.conf file, and I did note in the ChangeLog that: Auth.conf differentiates between names and IPs – There’s a new allow_ip keyword in auth.conf if you want to permit IP addresses. (PR991) But I see no mention of that on the docs page at http://docs.puppetlabs.com/guides/rest_auth_conf.html. Our auth.conf is simple, and basically has either allow $1 or allow * both which appear to still be valid in 3.0. Here's an example, a simple example, an ntp.conf file: class ntp-client { file { /etc/ntp.conf: owner = root, group = root, mode= 644, source = puppet:///etc/ntp.conf, require = [ Package[ntp] ], notify = Service[ntpd], } package { ntp: ensure = latest, } service { ntpd: ensure = running, hasrestart = true, subscribe = File[/etc/ntp.conf], } } # ntp-client The error I'm seeing in the puppet.log, on the client system: Oct 1 20:02:28 test-fms puppet-agent[11062]: Starting Puppet client version 2.7.17 Oct 1 20:02:31 test-fms puppet-agent[11062]: (/Stage[main]/Ntp-client/File[/etc/ntp.conf]) Could not evaluate: Error 400 on SERVER: Not authorized to call find on /file_metadata/etc/ntp.conf Could not retrieve file metadata for puppet:///etc/ntp.conf: Error 400 on SERVER: Not authorized to call find on /file_metadata/etc/ntp.conf at /etc/puppet/manifests/classes/ntp-client.pp:10 The permissions from /etc/puppet/files are correct: -rw-r--r--. 1 puppet puppet 446 Mar 31 2011 etc/ntp.conf The client puppet.conf file doesn't have any custom references other than the basics. [main] server = ourpuppet.server.com vardir = /var/lib/puppet logdir = /var/log/puppet rundir = /var/run/puppet ssldir = $vardir/ssl [agent] classfile = $vardir/classes.txt localconfig = $vardir/localconfig syslogfacility = local4 report = true listen = true I ran puppet master in verbose mode and got these diagnostics: Starting Puppet master version 3.0.0 Info: access[^/catalog/([^/]+)$]: allowing 'method' find Info: access[^/catalog/([^/]+)$]: allowing $1 access Info: access[/certificate_revocation_list/ca]: allowing 'method' find Info: access[/certificate_revocation_list/ca]: allowing * access Info: access[/report]: allowing 'method' save Info: access[/report]: allowing * access Info: access[/file]: allowing * access Info: access[/certificate/ca]: adding authentication no Info: access[/certificate/ca]: allowing 'method' find Info: access[/certificate/ca]: allowing * access Info: access[/certificate/]: adding authentication no Info: access[/certificate/]: allowing 'method' find Info: access[/certificate/]: allowing * access Info: access[/certificate_request]: adding authentication no Info: access[/certificate_request]: allowing 'method' find Info: access[/certificate_request]: allowing 'method' save Info: access[/certificate_request]: allowing * access Info: access[/]: adding authentication any Info: Inserting default '~ ^/node/([^/]+)$' (auth true) ACL Info: Inserting default '/status' (auth true) ACL Warning: Host is missing hostname and/or domain: one-host.ourdomain.com Compiled catalog for one-host.ourdomain.com in environment production in 1.16 seconds Info: mount[files]: allowing 10.101.0.0/24 access Error: Error parsing fileserver configuration: wrong number of arguments (3 for 1); using old configuration Error: Not authorized to call find on /file_metadata/etc/ntp.conf Error: Not authorized to call find on /file_metadata/etc/sudoers Error: Not authorized to call find on /file_metadata/files/etc/ssh/ssh_known_hosts Error: Not authorized to call find on /file_metadata/files/etc/ssh/sshd_config Error: Not authorized to call find on /file_metadata/etc/puppet/namespaceauth.conf Error: Not authorized to call find on /file_metadata/etc/puppet/puppet.conf.agent Error: Not authorized to call find on /file_metadata/etc/puppet/auth.conf Error: Not authorized to call find on /file_metadata/etc/resolv.conf.test I reviewed the docs at http://docs.puppetlabs.com/guides/file_serving.html and our config looks fine. Reading through the issue at http://projects.puppetlabs.com/issues/16667, I'm not clear what the fix actually is. But, our config has been unaltered. We have unused modules in the /etc/puppet/modules directory, where most of the little stuff has been in /etc/puppet/manifests, referenced in site.pp by: import classes/* import nodes.pp And it's worked thus far. In the example above, with ntp-client, it's just a simple little ntp-client.pp file that references a file that should be transfered, nothing more. So I don't see how or why that wouldn't work
Re: [Puppet Users] Puppet 3.0: Not authorized to call find on /file_metadata, more issues?
In Puppet 3.x, allow directives are limited to hostnames, if you wish to allow an ip address, the allow_ip directive should be used. This was in response to CVE-2012-3408 (http://puppetlabs.com/security/cve/cve-2012-3408/). On Mon, Oct 1, 2012 at 5:48 PM, Forrie for...@gmail.com wrote: I've seen mention of this error in several places, with different causes. So before I posted here, I attempted to resolve this on my own. I corrected the change from puppet:///files to puppet:/// in my manifests *.pp files. No changes were made to the auth.conf file, and I did note in the ChangeLog that: Auth.conf differentiates between names and IPs – There’s a new allow_ip keyword in auth.conf if you want to permit IP addresses. (PR991) But I see no mention of that on the docs page at http://docs.puppetlabs.com/guides/rest_auth_conf.html. Our auth.conf is simple, and basically has either allow $1 or allow * both which appear to still be valid in 3.0. Here's an example, a simple example, an ntp.conf file: class ntp-client { file { /etc/ntp.conf: owner = root, group = root, mode= 644, source = puppet:///etc/ntp.conf, require = [ Package[ntp] ], notify = Service[ntpd], } package { ntp: ensure = latest, } service { ntpd: ensure = running, hasrestart = true, subscribe = File[/etc/ntp.conf], } } # ntp-client The error I'm seeing in the puppet.log, on the client system: Oct 1 20:02:28 test-fms puppet-agent[11062]: Starting Puppet client version 2.7.17 Oct 1 20:02:31 test-fms puppet-agent[11062]: (/Stage[main]/Ntp-client/File[/etc/ntp.conf]) Could not evaluate: Error 400 on SERVER: Not authorized to call find on /file_metadata/etc/ntp.conf Could not retrieve file metadata for puppet:///etc/ntp.conf: Error 400 on SERVER: Not authorized to call find on /file_metadata/etc/ntp.conf at /etc/puppet/manifests/classes/ntp-client.pp:10 The permissions from /etc/puppet/files are correct: -rw-r--r--. 1 puppet puppet 446 Mar 31 2011 etc/ntp.conf The client puppet.conf file doesn't have any custom references other than the basics. [main] server = ourpuppet.server.com vardir = /var/lib/puppet logdir = /var/log/puppet rundir = /var/run/puppet ssldir = $vardir/ssl [agent] classfile = $vardir/classes.txt localconfig = $vardir/localconfig syslogfacility = local4 report = true listen = true I ran puppet master in verbose mode and got these diagnostics: Starting Puppet master version 3.0.0 Info: access[^/catalog/([^/]+)$]: allowing 'method' find Info: access[^/catalog/([^/]+)$]: allowing $1 access Info: access[/certificate_revocation_list/ca]: allowing 'method' find Info: access[/certificate_revocation_list/ca]: allowing * access Info: access[/report]: allowing 'method' save Info: access[/report]: allowing * access Info: access[/file]: allowing * access Info: access[/certificate/ca]: adding authentication no Info: access[/certificate/ca]: allowing 'method' find Info: access[/certificate/ca]: allowing * access Info: access[/certificate/]: adding authentication no Info: access[/certificate/]: allowing 'method' find Info: access[/certificate/]: allowing * access Info: access[/certificate_request]: adding authentication no Info: access[/certificate_request]: allowing 'method' find Info: access[/certificate_request]: allowing 'method' save Info: access[/certificate_request]: allowing * access Info: access[/]: adding authentication any Info: Inserting default '~ ^/node/([^/]+)$' (auth true) ACL Info: Inserting default '/status' (auth true) ACL Warning: Host is missing hostname and/or domain: one-host.ourdomain.com Compiled catalog for one-host.ourdomain.com in environment production in 1.16 seconds Info: mount[files]: allowing 10.101.0.0/24 access Error: Error parsing fileserver configuration: wrong number of arguments (3 for 1); using old configuration Error: Not authorized to call find on /file_metadata/etc/ntp.conf Error: Not authorized to call find on /file_metadata/etc/sudoers Error: Not authorized to call find on /file_metadata/files/etc/ssh/ssh_known_hosts Error: Not authorized to call find on /file_metadata/files/etc/ssh/sshd_config Error: Not authorized to call find on /file_metadata/etc/puppet/namespaceauth.conf Error: Not authorized to call find on /file_metadata/etc/puppet/puppet.conf.agent Error: Not authorized to call find on /file_metadata/etc/puppet/auth.conf Error: Not authorized to call find on /file_metadata/etc/resolv.conf.test I reviewed the docs at http://docs.puppetlabs.com/guides/file_serving.html and our config looks fine. Reading through the issue at http://projects.puppetlabs.com/issues/16667, I'm not clear what the fix actually is. But, our config has been unaltered. We have unused modules in the /etc/puppet/modules directory, where most of the little
Re: [Puppet Users] Puppet 3.0: Not authorized to call find on /file_metadata, more issues?
Oh, sorry, you mention that you already found that changelog entry. I misread that part. On Mon, Oct 1, 2012 at 10:27 PM, Matthaus Owens matth...@puppetlabs.com wrote: In Puppet 3.x, allow directives are limited to hostnames, if you wish to allow an ip address, the allow_ip directive should be used. This was in response to CVE-2012-3408 (http://puppetlabs.com/security/cve/cve-2012-3408/). On Mon, Oct 1, 2012 at 5:48 PM, Forrie for...@gmail.com wrote: I've seen mention of this error in several places, with different causes. So before I posted here, I attempted to resolve this on my own. I corrected the change from puppet:///files to puppet:/// in my manifests *.pp files. No changes were made to the auth.conf file, and I did note in the ChangeLog that: Auth.conf differentiates between names and IPs – There’s a new allow_ip keyword in auth.conf if you want to permit IP addresses. (PR991) But I see no mention of that on the docs page at http://docs.puppetlabs.com/guides/rest_auth_conf.html. Our auth.conf is simple, and basically has either allow $1 or allow * both which appear to still be valid in 3.0. Here's an example, a simple example, an ntp.conf file: class ntp-client { file { /etc/ntp.conf: owner = root, group = root, mode= 644, source = puppet:///etc/ntp.conf, require = [ Package[ntp] ], notify = Service[ntpd], } package { ntp: ensure = latest, } service { ntpd: ensure = running, hasrestart = true, subscribe = File[/etc/ntp.conf], } } # ntp-client The error I'm seeing in the puppet.log, on the client system: Oct 1 20:02:28 test-fms puppet-agent[11062]: Starting Puppet client version 2.7.17 Oct 1 20:02:31 test-fms puppet-agent[11062]: (/Stage[main]/Ntp-client/File[/etc/ntp.conf]) Could not evaluate: Error 400 on SERVER: Not authorized to call find on /file_metadata/etc/ntp.conf Could not retrieve file metadata for puppet:///etc/ntp.conf: Error 400 on SERVER: Not authorized to call find on /file_metadata/etc/ntp.conf at /etc/puppet/manifests/classes/ntp-client.pp:10 The permissions from /etc/puppet/files are correct: -rw-r--r--. 1 puppet puppet 446 Mar 31 2011 etc/ntp.conf The client puppet.conf file doesn't have any custom references other than the basics. [main] server = ourpuppet.server.com vardir = /var/lib/puppet logdir = /var/log/puppet rundir = /var/run/puppet ssldir = $vardir/ssl [agent] classfile = $vardir/classes.txt localconfig = $vardir/localconfig syslogfacility = local4 report = true listen = true I ran puppet master in verbose mode and got these diagnostics: Starting Puppet master version 3.0.0 Info: access[^/catalog/([^/]+)$]: allowing 'method' find Info: access[^/catalog/([^/]+)$]: allowing $1 access Info: access[/certificate_revocation_list/ca]: allowing 'method' find Info: access[/certificate_revocation_list/ca]: allowing * access Info: access[/report]: allowing 'method' save Info: access[/report]: allowing * access Info: access[/file]: allowing * access Info: access[/certificate/ca]: adding authentication no Info: access[/certificate/ca]: allowing 'method' find Info: access[/certificate/ca]: allowing * access Info: access[/certificate/]: adding authentication no Info: access[/certificate/]: allowing 'method' find Info: access[/certificate/]: allowing * access Info: access[/certificate_request]: adding authentication no Info: access[/certificate_request]: allowing 'method' find Info: access[/certificate_request]: allowing 'method' save Info: access[/certificate_request]: allowing * access Info: access[/]: adding authentication any Info: Inserting default '~ ^/node/([^/]+)$' (auth true) ACL Info: Inserting default '/status' (auth true) ACL Warning: Host is missing hostname and/or domain: one-host.ourdomain.com Compiled catalog for one-host.ourdomain.com in environment production in 1.16 seconds Info: mount[files]: allowing 10.101.0.0/24 access Error: Error parsing fileserver configuration: wrong number of arguments (3 for 1); using old configuration Error: Not authorized to call find on /file_metadata/etc/ntp.conf Error: Not authorized to call find on /file_metadata/etc/sudoers Error: Not authorized to call find on /file_metadata/files/etc/ssh/ssh_known_hosts Error: Not authorized to call find on /file_metadata/files/etc/ssh/sshd_config Error: Not authorized to call find on /file_metadata/etc/puppet/namespaceauth.conf Error: Not authorized to call find on /file_metadata/etc/puppet/puppet.conf.agent Error: Not authorized to call find on /file_metadata/etc/puppet/auth.conf Error: Not authorized to call find on /file_metadata/etc/resolv.conf.test I reviewed the docs at http://docs.puppetlabs.com/guides/file_serving.html and our config looks fine. Reading through the issue at