The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #15158

action filter rejected authorization should be treated as status, not as a result

Added by konrad rzentarzewski over 2 years ago. Updated about 1 year ago.

Status:ClosedStart date:06/22/2012
Priority:NormalDue date:
Assignee:R.I. Pienaar% Done:

0%

Category:SimpleRPC
Target version:2.1.x
Keywords: Affected mCollective version:
Branch:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This issue is currently not available for export. If you are experiencing the issue described below, please file a new ticket in JIRA. Once a new ticket has been created, please add a link to it that points back to this Redmine ticket.


Description

currently plugins are treating “You are not authorized to call this agent or action.” as simple output, applying whatever filter to it (usually default, as it doesn’t match to other “expected” statuses), ie. puppetd application treats those agents as “down”, nrpe application treats them as “ok”.

it might be better approach to filter action policy rejections before passing it to client applications, so that they appear in rpc summary and not in plugin’s output.

relevant ml thread: https://groups.google.com/forum/?fromgroups#!topic/mcollective-users/4rlG-JVY27k

History

#1 Updated by R.I. Pienaar over 2 years ago

  • Category set to SimpleRPC
  • Status changed from Unreviewed to Accepted
  • Assignee set to R.I. Pienaar
  • Target version set to 2.1.x

Just to clarify, it does return the correct failure code, these applications have bugs and do not interpret the failure code correctly.

This indicates that the framework is making it unnecessarily hard for application writes to do the right thing so that should be the aim when dealing with this request.

>> rpc(:runcommand, :command=>"check_load") {|r| p r}
#<MCollective::RPC::Result:0x7f19426cfb30 @agent="nrpe", @action="runcommand", @results={:statusmsg=>"You are not authorized to call this agent or action", :data=>{:exitcode=>nil, :perfdata=>nil, :output=>nil}, :sender=>"devco.net", :statuscode=>1}>

Notice statuscode is 1 which is RPCAborted which is correct. But by not including these in results we’ll make this kind of common error easier to avoid when writing applications.

#2 Updated by R.I. Pienaar over 2 years ago

The NRPE application now treat authorized denied as UNKNOWNs and report htem properly http://git.io/6U7cgQ

#3 Updated by Pieter Loubser about 1 year ago

  • Status changed from Accepted to Closed

Also available in: Atom PDF