The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:

Bug #16667

Misleading error message "Not authorized to call find" after upgrading from 2.7 to 3.0

Added by Anonymous over 3 years ago. Updated over 3 years ago.

Status:InvestigatingStart date:10/01/2012
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:error reporting
Target version:3.x
Affected Puppet version:3.0.0 Branch:
Keywords:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com


Description

Overview

When we took out the deprecation warning for the modules path element in source URI’s of file resources, we didn’t replace it with a friendly error message.

Expected behavior

In 2.7 the following manifest worked, but with this friendly message:

# site.pp
node default {
  notify { "Hello World": }

  file { "/tmp/foo.txt":
    source => [
      "puppet:///filetest/sshd_config.${::fqdn}",
      "puppet:///filetest/sshd_config",
    ],
  }
}
notice: DEPRECATION NOTICE: Files found in modules without specifying 'modules' in file path
  will be deprecated in the next major release.  Please fix module 'filetest' when no 0.24.x
  clients are present

The behavior I expect is that a similarly friendly and informative error message is displayed in 3.0.

Actual Behavior

In 3.0 this is the user’s experience:

$ puppet master --verbose --no-daemonize
Starting Puppet master version 3.0.0Info: Inserting default '~ ^/catalog/([^/]+)$' (auth true) ACL
Info: Inserting default '~ ^/node/([^/]+)$' (auth true) ACLInfo: Inserting default '/file' (auth ) ACL
Info: Inserting default '/certificate_revocation_list/ca' (auth true) ACLInfo: Inserting default '/report' (auth true) ACL
Info: Inserting default '/certificate/ca' (auth any) ACL
Info: Inserting default '/certificate/' (auth any) ACL
Info: Inserting default '/certificate_request' (auth any) ACLInfo: Inserting default '/status' (auth true) ACL
Compiled catalog for mccune.agent in environment production in 0.03 seconds
Error: Not authorized to call find on /file_metadata/filetest/sshd_config.mccune.puppetlabs.lan

Related issues

Related to Puppet - Bug #15961: Too vague of a depreciation warning when using source wit... Accepted
Related to Puppet - Bug #7705: Overhauling authorization system internals and interface Accepted 04/07/2011

History

#1 Updated by Anonymous over 3 years ago

  • Description updated (diff)

#2 Updated by Anonymous over 3 years ago

(Originally reported to me by bosszaru on the IRC channel.)

#3 Updated by Anonymous over 3 years ago

  • Subject changed from Misleading error message after upgrading from 2.7 to 3.0 to Misleading error message "Not authorized to call find" after upgrading from 2.7 to 3.0

#4 Updated by Anonymous over 3 years ago

Reference: commit 4053722

#5 Updated by eric sorenson over 3 years ago

  • Status changed from Unreviewed to Investigating

Looking at this for 3.0.1.

#6 Updated by Anonymous over 3 years ago

Work around

The current work around to this issue is to remove the rules from fileserver.conf and instead implement authorization in auth.conf.

For example, if you had the following fileserver.conf in Puppet 2.7:

[files]
path    /etc/puppet/files
allow   10.101.0.0/24
allow   10.103.0.0/24  

Then you can work around this issue in Puppet 3.0.0 and 3.0.1 with the following fileserver.conf and auth.conf respectively: (Please note how the two file_metadata and file_content rules are before the path /file rule. First matching prefix wins out.)

[files]
path    /etc/puppet/files
# Access control is managed in auth.conf now
allow *
# This is an example auth.conf file, which implements the
# defaults used by the puppet master.
#
# The ACLs are evaluated in top-down order. More general
# stanzas should be towards the bottom of the file and more
# specific ones at the top, otherwise the general rules
# take precedence and later rules will not be evaluated.
#
# Supported syntax:
# Each stanza in auth.conf starts with a path to mach, followed
# by optional modifiers, and finally, a series of allow or deny
# directives. 
#
# Example Stanza
# ---------------------------------
# path /path/to/resource     # simple prefix match
# # path ~ regex             # alternately, regex match
# [environment envlist]
# [method methodlist]
# [auth[enthicated] {yes|no|on|off|any}]
# allow [host|backreference|*]
# deny [host|backreference|*]
# allow_ip [ip|cidr|ip_wildcard|*]
# deny_ip [ip|cidr|ip_wildcard|*]
#
# The path match can either be a simple prefix match or a regular 
# expression. `path /file` would match both `/file_metadata` and
# `/file_content`. Regex matches allow the use of backreferences
# in the allow/deny directives.
# 
# The regex syntax is the same as for Ruby regex, and captures backreferences
# for use in the `allow` and `deny` lines of that stanza
#
# Examples:
# path ~ ^/path/to/resource    # equivalent to `path /path/to/resource`
# allow *
#
# path ~ ^/catalog/([^/]+)$    # permit access only for the
# allow $1                     # node whose cert matches the path
#
# environment:: restrict an ACL to a comma-separated list of environments
# method:: restrict an ACL to a comma-separated list of HTTP methods
# auth:: restrict an ACL to an authenticated or unauthenticated request
# the default when unspecified is to restrict the ACL to authenticated requests
# (ie exactly as if auth yes was present).
#

### Authenticated paths - these apply only when the client
### has a valid certificate and is thus authenticated

# allow nodes to retrieve their own catalog
path ~ ^/catalog/([^/]+)$
method find
allow $1

# allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1

# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *

# allow all nodes to store their reports
path /report
method save
allow *

# JJM Lock down the "files" fileserver mount exported from filserver.conf
# Remember, this file is parsed top to bottom and the first match "wins" so
# more specific rules need to be above more generalized rules.
# The following two rules mean the agent must posses a signed certificate and
# must be connecting from the 192.168.0.0/16 subnet.
path /file_metadata/files
auth yes
allow_ip 10.101.0.0/24
allow_ip 10.103.0.0/24

path /file_content/files
auth yes
allow_ip 10.101.0.0/24
allow_ip 10.103.0.0/24

# unconditionally allow access to all file services
# which means in practice that fileserver.conf will
# still be used
path /file
allow *

### Unauthenticated ACL, for clients for which the current master doesn't
### have a valid certificate; we allow authenticated users, too, because
### there isn't a great harm in letting that request through.

# allow access to the master CA
path /certificate/ca
auth any
method find
allow *

path /certificate/
auth any
method find
allow *

path /certificate_request
auth any
method find, save
allow *

# this one is not stricly necessary, but it has the merit
# of showing the default policy, which is deny everything else
path /
auth any

References

#7 Updated by Anonymous over 3 years ago

  • Target version changed from 3.0.x to 3.x

As the 3.0.x line is winding down with the impending release of 3.1.0, I am removing the target at 3.0.x from tickets in the system and targeting them at 3.x instead.

Also available in: Atom PDF