Issue #17129 has been updated by Josh Cooper. Status changed from In Topic Branch Pending Review to Accepted
The current behavior in 2.7.x is: rest client issues a request, and receives an 400 HTTP response: <pre> $ curl -v --insecure -H "Accept: yaml" https://sirrus.puppetlabs.lan:8140/production/certificate_requests/all ... HTTP/1.1 400 Permission denied - /Users/josh/scratch/master/badperms/ssl/ca/requests/agent1.pem </pre> And I see the exception and error message in syslog: <pre> Nov 1 10:27:11 sirrus puppet-master[86589]: Permission denied - /Users/josh/scratch/master/badperms/ssl/ca/requests/agent1.pem </pre> If we were to change the behavior as proposed, then it means `puppet cert list --all` would return 0, instead of 24 as it does now. The change also wouldn't handle cases where the pem file is corrupt (asn.1 parsing fails, we except pem encoding, but it's der, it's encrypted with a passphrase, etc). In other words, I don't think we should be clever and try to infer the client's intent. I would rather us fail fast and report the unrecoverable error to the client as we currently do. Alternatively, we could return the exception instance instead of the certificate instance: <pre> HTTP/1.1 200 OK ... - !ruby/exception:Errno::EACCES message: "Permission denied - /Users/josh/scratch/master/badperms/ssl/ca/requests/agent1.pem" </pre> But rest clients expect certificate instances: <pre> $ puppet cert list --all err: Could not call list: undefined method `name' for #<Errno::EACCES:0x10ec69e90> </pre> Comments? ---------------------------------------- Bug #17129: SSL REST API bails out completely on permissions errors https://projects.puppetlabs.com/issues/17129#change-75500 Author: Max Martin Status: Accepted Priority: Normal Assignee: Josh Cooper Category: Target version: 2.7.20 Affected Puppet version: Keywords: ssl Branch: https://github.com/puppetlabs/puppet/pull/1248 If the puppetmaster doesn't have permission to access any of the .pem files waiting in the requests directory (in this case, `/etc/puppetlabs/puppet/ssl/ca/requests`), it will bail out completely when all CSRs are requested by hitting `/certificate_statuses/all`. In this example, I have a number of .pem files which the puppetmaster can access, and one that it cannot: <pre> root@master:/etc/puppetlabs/puppet/ssl/ca/requests# ls -al total 60 drwxr-xr-x 2 pe-puppet pe-puppet 4096 2012-10-19 21:18 . drwxrwx--- 5 pe-puppet pe-puppet 4096 2012-10-19 01:55 .. rw-r---- 1 peadmin peadmin 1590 2012-10-19 20:06 example_38463.pem rw-r---- 1 pe-puppet pe-puppet 1590 2012-10-19 20:06 example_46536.pem rw-r---- 1 pe-puppet pe-puppet 1590 2012-10-19 20:06 example_62602.pem rw-r---- 1 pe-puppet pe-puppet 1590 2012-10-19 20:06 example_66483.pem rw-r---- 1 pe-puppet pe-puppet 1590 2012-10-19 21:15 example_67152.pem rw-r---- 1 pe-puppet pe-puppet 1590 2012-10-19 20:06 example_69811.pem rw-r---- 1 pe-puppet pe-puppet 1590 2012-10-19 20:06 example_7469.pem rw-r---- 1 pe-puppet pe-puppet 1590 2012-10-19 21:15 example_78904.pem rw-r---- 1 pe-puppet pe-puppet 1590 2012-10-19 21:15 example_90326.pem rw-r---- 1 pe-puppet pe-puppet 1590 2012-10-19 21:15 example_90906.pem rw-r---- 1 pe-puppet pe-puppet 1590 2012-10-19 21:15 example_92088.pem rw-r---- 1 pe-puppet pe-puppet 1590 2012-10-19 20:06 example_93947.pem </pre> when I attempt to hit `certificate_statuses/all` for the production environment, the whole response is `Permission denied - /etc/puppetlabs/puppet/ssl/ca/requests/example_38463.pem` The API should be able handle the permissions error and return information about all the waiting CSRs, at least those with correct permissions. It should possibly also return information about the .pem file with incorrect permissions. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to puppet-bugs@googlegroups.com. To unsubscribe from this group, send email to puppet-bugs+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.