That's not an error from Puppet Server's HTTP auth.conf, it's an error from Puppet's old auth.conf or its fileserver.conf. Note the "Not authorized to call *find* on ..." Puppet Server's auth handles HTTP verbs like GET, Puppet's indirector auth translates those to verbs like FIND or SEARCH.
>From that endpoint I would assume you have a custom mountpoint called "files" with an incorrect allow statement. Is that correct? See for details https://puppet.com/docs/puppet/6.4/file_serving.html If that's true hopefully that page will help you correct the auth syntax, though my suggestion would be to follow Alessandro's advice and update your file structure to be able to put those files into a module and use the module syntax, or put them on an http server and use regular http endpoints, or, if you can use 6.x and need to secure the contents with a key, use a client side function. HTH, Justin On Tue, May 28, 2019 at 8:48 AM Chris Phillips <clk...@gmail.com> wrote: > I thought the same and have tried that to no avail. I believe its because > we are storing the files outside of the standard modules directory ie > /etc/puppetlabs/code where as we are using /etc/puppetlabs/example/code. > > Thanks, > Chris > > On May 28, 2019, at 6:03 AM, Alessandro Franceschi <a...@lab42.it> wrote: > > In the file resource which manages /etc/bashrc you have probably a > parameter like: > *source => puppet:///files/etcbashrc* > > that should be something like: > > *source => puppet:///modules/$MODULENAME/etcbashrc* > > this implies that your source etcbashrc file is in a module called > $MODULENAME in the files/etcbashrc location (note that you don't have to > specify "files" in the source param. > > For details: > > https://puppet.com/docs/puppet/6.4/modules_fundamentals.html#files-in-modules > > On Thursday, May 23, 2019 at 10:13:38 PM UTC+2, Chris Phillips wrote: >> >> I am using Puppet v5.5.13 and am receiving the following error. Any help >> would be appreciated. >> >> *Error: /Stage[main]/Profiles::Base/File[/etc/bashrc]: Could not >> evaluate: Could not retrieve file metadata for puppet:///files/etcbashrc: >> Error 500 on SERVER: Server Error: Not authorized to call find on >> /file_metadata/files/etcbashrc with {:rest=>"files/etcbashrc", >> :links=>"manage", :checksum_type=>"md5", :source_permissions=>"ignore"}* >> >> >> *My auth.conf looks like:* >> >> >> authorization: { >> >> version: 1 >> >> allow-header-cert-info: false >> >> rules: [ >> >> { >> >> # Allow file metadata >> >> match-request: { >> >> path: "^/file_(metadata|content)/files/" >> >> type: regex >> >> } >> >> allow: "*" >> >> sort-order: 400 >> >> name: "access to all file metadata" >> >> }, >> >> { >> >> # Allow any file access >> >> match-request: { >> >> path: "^/puppet/v3/file_(content|metadata)s?/files" >> >> type: regex >> >> method: [get, post] >> >> } >> >> allow: "*" >> >> sort-order: 400 >> >> name: "access to all files" >> >> }, >> >> { >> >> # Allow nodes to retrieve their own catalog >> >> match-request: { >> >> path: "^/puppet/v3/catalog/([^/]+)$" >> >> type: regex >> >> method: [get, post] >> >> } >> >> allow: ["$1"] >> >> sort-order: 500 >> >> name: "puppetlabs catalog" >> >> }, >> >> { >> >> # Allow nodes to retrieve the certificate they requested >> earlier >> >> match-request: { >> >> path: "/puppet-ca/v1/certificate/" >> >> type: path >> >> method: get >> >> } >> >> allow-unauthenticated: true >> >> sort-order: 500 >> >> name: "puppetlabs certificate" >> >> }, >> >> { >> >> # Allow all nodes to access the certificate revocation list >> >> match-request: { >> >> path: "/puppet-ca/v1/certificate_revocation_list/ca" >> >> type: path >> >> method: get >> >> } >> >> allow-unauthenticated: true >> >> sort-order: 500 >> >> name: "puppetlabs crl" >> >> }, >> >> { >> >> # Allow nodes to request a new certificate >> >> match-request: { >> >> path: "/puppet-ca/v1/certificate_request" >> >> type: path >> >> method: [get, put] >> >> } >> >> allow-unauthenticated: true >> >> sort-order: 500 >> >> name: "puppetlabs csr" >> >> }, >> >> { >> >> # Allow the CA CLI to access the certificate_status endpoint >> >> match-request: { >> >> path: "/puppet-ca/v1/certificate_status" >> >> type: path >> >> method: [get, put, delete] >> >> } >> >> allow: [ >> >> "localhost", >> >> "example.com", >> >> { >> >> extensions: { >> >> pp_cli_auth: "true" >> >> } >> >> } >> >> ] >> >> sort-order: 500 >> >> name: "puppetlabs cert status" >> >> }, >> >> { >> >> # Allow the CA CLI to access the certificate_statuses >> endpoint >> >> match-request: { >> >> path: "/puppet-ca/v1/certificate_statuses" >> >> type: path >> >> method: get >> >> } >> >> allow: [ >> >> "localhost", >> >> "example.com", >> >> { >> >> extensions: { >> >> pp_cli_auth: "true" >> >> } >> >> } >> >> ] >> >> sort-order: 500 >> >> name: "puppetlabs cert statuses" >> >> }, >> >> { >> >> # Allow unauthenticated access to the status service endpoint >> >> match-request: { >> >> path: "/status/v1/services" >> >> type: path >> >> method: get >> >> } >> >> allow-unauthenticated: true >> >> sort-order: 500 >> >> name: "puppetlabs status service - full" >> >> }, >> >> { >> >> match-request: { >> >> path: "/status/v1/simple" >> >> type: path >> >> method: get >> >> } >> >> allow-unauthenticated: true >> >> sort-order: 500 >> >> name: "puppetlabs status service - simple" >> >> }, >> >> { >> >> match-request: { >> >> path: "/puppet-admin-api/v1/environment-cache" >> >> type: path >> >> method: delete >> >> } >> >> allow: [ >> >> "localhost", >> >> "example.com", >> >> ] >> >> sort-order: 200 >> >> name: "environment-cache" >> >> }, >> >> { >> >> match-request: { >> >> path: "/puppet-admin-api/v1/jruby-pool" >> >> type: path >> >> method: delete >> >> } >> >> allow: [ >> >> "localhost", >> >> "example.com", >> >> ] >> >> sort-order: 200 >> >> name: "jruby-pool" >> >> }, >> >> { >> >> match-request: { >> >> path: "/puppet/v3/environments" >> >> type: path >> >> method: get >> >> } >> >> allow: "*" >> >> sort-order: 500 >> >> name: "puppetlabs environments" >> >> }, >> >> { >> >> match-request: { >> >> path: "/puppet/v3/environment_classes" >> >> type: path >> >> method: get >> >> } >> >> allow: "*" >> >> sort-order: 500 >> >> name: "puppetlabs environment classes" >> >> }, >> >> { >> >> # Allow nodes to access all file_bucket_files. Note that >> access for >> >> # the 'delete' method is forbidden by Puppet regardless of >> the >> >> # configuration of this rule. >> >> match-request: { >> >> path: "/puppet/v3/file_bucket_file" >> >> type: path >> >> method: [get, head, post, put] >> >> } >> >> allow: "*" >> >> sort-order: 500 >> >> name: "puppetlabs file bucket file" >> >> }, >> >> { >> >> # Allow nodes to access all file_content. Note that access >> for the >> >> # 'delete' method is forbidden by Puppet regardless of the >> >> # configuration of this rule. >> >> match-request: { >> >> path: "/puppet/v3/file_content" >> >> type: path >> >> method: [get, post] >> >> } >> >> allow: "*" >> >> sort-order: 500 >> >> name: "puppetlabs file content" >> >> }, >> >> { >> >> # Allow nodes to access all file_metadata. Note that access >> for the >> >> # 'delete' method is forbidden by Puppet regardless of the >> >> # configuration of this rule. >> >> match-request: { >> >> path: "/puppet/v3/file_metadata" >> >> type: path >> >> method: [get, post] >> >> } >> >> allow: "*" >> >> sort-order: 500 >> >> name: "puppetlabs file metadata" >> >> }, >> >> { >> >> # Allow nodes to access all file_content. Note that access >> for the >> >> # 'delete' method is forbidden by Puppet regardless of the >> >> # configuration of this rule. >> >> match-request: { >> >> path: "/puppet/v3/files/" >> >> type: path >> >> method: [get, post] >> >> } >> >> allow: "*" >> >> sort-order: 500 >> >> name: "puppet file content" >> >> }, >> >> { >> >> # Allow nodes to access all file_content. Note that access >> for the >> >> # 'delete' method is forbidden by Puppet regardless of the >> >> # configuration of this rule. >> >> match-request: { >> >> path: "/files/" >> >> type: path >> >> method: [get, post] >> >> } >> >> allow: "*" >> >> sort-order: 500 >> >> name: "puppets file content" >> >> }, >> >> { >> >> # Allow nodes to retrieve only their own node definition >> >> match-request: { >> >> path: "^/puppet/v3/node/([^/]+)$" >> >> type: regex >> >> method: get >> >> } >> >> allow: "$1" >> >> sort-order: 500 >> >> name: "puppetlabs node" >> >> }, >> >> { >> >> # Allow nodes to store only their own reports >> >> match-request: { >> >> path: "^/puppet/v3/report/([^/]+)$" >> >> type: regex >> >> method: put >> >> } >> >> allow: "$1" >> >> sort-order: 500 >> >> name: "puppetlabs report" >> >> }, >> >> { >> >> # Allow nodes to update their own facts >> >> match-request: { >> >> path: "^/puppet/v3/facts/([^/]+)$" >> >> type: regex >> >> method: put >> >> } >> >> allow: "$1" >> >> sort-order: 500 >> >> name: "puppetlabs facts" >> >> }, >> >> { >> >> match-request: { >> >> path: "/puppet/v3/status" >> >> type: path >> >> method: get >> >> } >> >> allow-unauthenticated: true >> >> sort-order: 500 >> >> name: "puppetlabs status" >> >> }, >> >> { >> >> match-request: { >> >> path: "/puppet/v3/static_file_content" >> >> type: path >> >> method: get >> >> } >> >> allow: "*" >> >> sort-order: 500 >> >> name: "puppetlabs static file content" >> >> }, >> >> { >> >> match-request: { >> >> path: "/puppet/v3/tasks" >> >> type: path >> >> } >> >> allow: "*" >> >> sort-order: 500 >> >> name: "puppet tasks information" >> >> }, >> >> { >> >> # Allow all users access to the experimental endpoint >> >> # which currently only provides a dashboard web ui. >> >> match-request: { >> >> path: "/puppet/experimental" >> >> type: path >> >> } >> >> allow-unauthenticated: true >> >> sort-order: 500 >> >> name: "puppetlabs experimental" >> >> }, >> >> { >> >> match-request: { >> >> path: "/puppet/files" >> >> type: path >> >> } >> >> allow: "*" >> >> sort-order: 500 >> >> name: "puppet" >> >> }, >> >> { >> >> match-request: { >> >> path: "/puppet/file_metadata" >> >> type: path >> >> } >> >> allow: "*" >> >> sort-order: 500 >> >> name: "puppet_metadata" >> >> } >> >> ] >> >> } >> >> >> If anything is needed to help troubleshoot let me know and I will be >> happy to post. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/760b932c-47e0-43aa-9e78-318646baa57b%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/760b932c-47e0-43aa-9e78-318646baa57b%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/4F69F537-AC9F-4BA5-A954-567473C142BD%40gmail.com > <https://groups.google.com/d/msgid/puppet-users/4F69F537-AC9F-4BA5-A954-567473C142BD%40gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqUBDuVfy7gzV6CFVzu2FG0u5yQuvqL6Nhn6js%2BRYtxduA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
