The Puppet Labs Issue Tracker has Moved:

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using See the following page for information on filing tickets with JIRA:

Bug #15158

action filter rejected authorization should be treated as status, not as a result

Added by konrad rzentarzewski almost 4 years ago. Updated over 2 years ago.

Status:ClosedStart date:06/22/2012
Priority:NormalDue date:
Assignee:R.I. Pienaar% Done:


Target version:2.1.x
Keywords: Affected mCollective version:

We've Moved!

Ticket tracking is now hosted in JIRA:


currently plugins are treating “You are not authorized to call this agent or action.” as simple output, applying whatever filter to it (usually default, as it doesn’t match to other “expected” statuses), ie. puppetd application treats those agents as “down”, nrpe application treats them as “ok”.

it might be better approach to filter action policy rejections before passing it to client applications, so that they appear in rpc summary and not in plugin’s output.

relevant ml thread:!topic/mcollective-users/4rlG-JVY27k


#1 Updated by R.I. Pienaar almost 4 years ago

  • Category set to SimpleRPC
  • Status changed from Unreviewed to Accepted
  • Assignee set to R.I. Pienaar
  • Target version set to 2.1.x

Just to clarify, it does return the correct failure code, these applications have bugs and do not interpret the failure code correctly.

This indicates that the framework is making it unnecessarily hard for application writes to do the right thing so that should be the aim when dealing with this request.

>> rpc(:runcommand, :command=>"check_load") {|r| p r}
#<MCollective::RPC::Result:0x7f19426cfb30 @agent="nrpe", @action="runcommand", @results={:statusmsg=>"You are not authorized to call this agent or action", :data=>{:exitcode=>nil, :perfdata=>nil, :output=>nil}, :sender=>"", :statuscode=>1}>

Notice statuscode is 1 which is RPCAborted which is correct. But by not including these in results we’ll make this kind of common error easier to avoid when writing applications.

#2 Updated by R.I. Pienaar almost 4 years ago

The NRPE application now treat authorized denied as UNKNOWNs and report htem properly

#3 Updated by Pieter Loubser over 2 years ago

  • Status changed from Accepted to Closed

Also available in: Atom PDF