Puppet 2.6, filebucket permissions.

Just a little snippet. I'm working with puppet, and foreman. Im working through the Pro Puppet book from APress. In the first section, they have me create a sudo module, which will pull /etc/sudoers from a puppet file bucket, and put it in place on the agent. I was running into the following error.

[root@kstest DEV ~]# puppet agent --test
info: Caching catalog for kstest.dev.
info: Applying configuration version '1377612144'
err: /File[/etc/sudoers]: Could not evaluate: Error 400 on SERVER: Not authorized to call find on /file_metadata/files
/common/sudo/etc/sudoers Could not retrieve file metadata for puppet://masterofpuppet.dev/files/common/sudo/etc
/sudoers: Error 400 on SERVER: Not authorized to call find on /file_metadata/files/common/sudo/etc/sudoers at 

notice: Finished catalog run in 0.40 seconds

I did a little digging online, and found two things.

1. I needed to allow access in /etc/puppet/fileserver.conf. It ended up like this:

  path /var/lib/puppet/files
  allow *

Which is wide open, I'll be reigning that in later.

However, there was a second piece to the puzzle. And that's in the file_metadata path above. I found a thread on Puppet-users mailing list regarding the problem. It came down to adding another block to /etc/puppet/auth.conf that looks like this:

path ~ ^/file_(metadata|content)/files/
auth yes

I added this right below the definition for the path /file, so it looks like this:

# unconditionally allow access to all file services
# which means in practice that fileserver.conf will
# still be used
path /file
allow *

path ~ ^/file_(metadata|content)/files/
auth yes

I also ended up resetting permissions on /var/lib/puppet/files to puppet:puppet.

This did the trick! No restart of puppetmasterd required btw, it must be read on the fly.