Bug #2424

File server can't find module in environment

Added by Brice Figureau about 1 year ago. Updated 4 months ago.

Status:Closed Start:07/18/2009
Priority:High Due date:
Assignee:Brice Figureau % Done:

0%
Category:fileserving
Target version:0.25.0
Affected version:0.25.0beta2 Branch:
Keywords:"file serving" environment modules
Votes: 0

Description

Credits go to Nigel for finding and explaining this bug.

With a completely new environment:

/tmp/manifests/site.pp:

node mynode {
  include base
}

/tmp/modules/base/files/myfile.txt:

content here

/tmp/modules/base/manifests/init.pp:

class base {
  file { "/tmp/myfile.txt": source => "puppet:///base/myfile.txt" }
}

config:


[puppetmasterd]
environments=testing,production
manifestdir=/tmp/manifests/

[testing]
modulepath=/tmp/modules

run produces this error:

/Users/brice/devl/puppet/lib/puppet/indirector/indirection.rb:283:in `check_authorization'
/Users/brice/devl/puppet/lib/puppet/indirector/indirection.rb:299:in `prepare'
/Users/brice/devl/puppet/lib/puppet/indirector/indirection.rb:186:in `find'
/Users/brice/devl/puppet/lib/puppet/indirector.rb:51:in `find'
/Users/brice/devl/puppet/lib/puppet/network/http/handler.rb:97:in `do_find'
/Users/brice/devl/puppet/lib/puppet/network/http/handler.rb:66:in `send'
/Users/brice/devl/puppet/lib/puppet/network/http/handler.rb:66:in `process'
/Users/brice/devl/puppet/lib/puppet/network/http/webrick/rest.rb:23:in `service'
/opt/local/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/opt/local/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/opt/local/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/opt/local/lib/ruby/1.8/webrick/server.rb:162:in `start'
/opt/local/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/opt/local/lib/ruby/1.8/webrick/server.rb:95:in `start'
/opt/local/lib/ruby/1.8/webrick/server.rb:92:in `each'
/opt/local/lib/ruby/1.8/webrick/server.rb:92:in `start'
/opt/local/lib/ruby/1.8/webrick/server.rb:23:in `start'
/opt/local/lib/ruby/1.8/webrick/server.rb:82:in `start'
/Users/brice/devl/puppet/lib/puppet/network/http/webrick.rb:40:in `listen'
/Users/brice/devl/puppet/lib/puppet/network/http/webrick.rb:40:in `initialize'
/Users/brice/devl/puppet/lib/puppet/network/http/webrick.rb:40:in `new'
/Users/brice/devl/puppet/lib/puppet/network/http/webrick.rb:40:in `listen'
/Users/brice/devl/puppet/lib/puppet/network/http/webrick.rb:37:in `synchronize'
/Users/brice/devl/puppet/lib/puppet/network/http/webrick.rb:37:in `listen'
/Users/brice/devl/puppet/lib/puppet/network/server.rb:131:in `listen'
/Users/brice/devl/puppet/lib/puppet/network/server.rb:146:in `start'
/Users/brice/devl/puppet/lib/puppet/daemon.rb:128:in `start'
/Users/brice/devl/puppet/lib/puppet/application/puppetmasterd.rb:96:in `main'
/Users/brice/devl/puppet/lib/puppet/application.rb:226:in `send'
/Users/brice/devl/puppet/lib/puppet/application.rb:226:in `run_command'
/Users/brice/devl/puppet/lib/puppet/application.rb:217:in `run'
sbin/puppetmasterd:66
err: Not authorized to call find on /file_metadata/test/myfile.txt

Explanation of the issue:

  • when the web server gets the request, it creates an indirection request, filling attributes like ip or node from the HTTP request. To do this, all the interesting attributes are given in a hash (called options, see P::I::Request#new). Once the request is properly initialized the options hash doesn’t contain the ip or node information.
  • the request is transmitted to the file_serving layer, which happily wants to use the node attribute to find environments. Unfortunately it fetches the node value from the request options, not the request itself (it even propagates the options hash all around the mounts). Since this node information is empty, puppet fails to find the proper mount point, and fails.

Possible solutions:

  • In P::I::Request#set_attribute do not remove the attr from the hash. Instant reward: it fixes everything with a one liner (ok there’s another one-line to change :ipaddress to :ip in P::I::FileServer)

or

  • Fix all the file_serving sub-system to transmit the whole request instead of only its “options”. This seems to me to be the best, except it might break the compatibility with the xmlrpc file serving?

Related issues

related to Puppet - Bug #2583: 400 error on server occurs Rejected 09/02/2009
related to Puppet - Bug #3092: No entries means no security? Accepted 01/20/2010

Associated revisions

Revision 6b254ebc606b128cbf4d778023da3c4cc396fe29
Added by Brice Figureau 10 months ago

Fix #2753 – Do not “global allow” plugins/modules mount if some rules have been parsed

When fixing #2424, we were adding a global allow (ie allow(*)) to the plugins/modules mount. Unfortunately global allow always win against any other rules that can be defined in fileserver.conf.

This patch makes sure we add those global allow entries only if we didn’t get any rules from fileserver.conf

Signed-off-by: Brice Figureau brice-puppet@daysofwonder.com

History

#1
Updated by Brice Figureau about 1 year ago

  • Status changed from Needs design decision to Ready for Testing
  • Assignee changed from Luke Kanies to Brice Figureau

Finally I implemented what I think is the best solution.

The patch is pending review on puppet-dev, and is also available from tickets/master/2424 in my github repo: http://github.com/masterzen/puppet/tree/tickets/master/2424

#2
Updated by James Turnbull about 1 year ago

  • Status changed from Ready for Testing to Closed

Pushed in commit:“8bbd8b4bb295fee7ad99f6137c9851528f1729cc” in branch master.

#3
Updated by James Turnbull about 1 year ago

The [modules] mount is now auto-created with appropriate authorisation.

Pushed in commit:“17205bb4e5d246f7a47b995826927a38b83fb3d0” in branch master.

Also available in: Atom PDF