Ask Your Question
0

"Error 400 on SERVER: Not authorized to call search on /file_metadata/pe_modules" when pointing Puppet agent on Compile Master to loadbalanced address

asked 2016-07-23 08:42:13 -0500

gd gravatar image
Hello, I've just setup a split installation environment (2016.1) with additional Compile Masters, which are behind a loadbalanced address.
Having initially setup the infrastructure by pointing each agent at the original master (now my MoM), I wanted to repoint the agents on the infra servers to the new loadbalanced compile master address.  

However when attempting to do so on my new Compile Masters, I get the errors below. 
I think that my problem is that because these CMs are not setup as fileservers the web calls for module metadata are not understood, but it isn't overly clear so I'm hoping someone can help make sense of what I'm looking at:

(here I am running puppet agent locally on cm1.example.com, and pointing it at cm2.example.com).

# puppet agent --server=cm2.example.com -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for cm1.example.com
Info: Applying configuration version '1469257118'
Error: /Stage[main]/Puppet_enterprise::Profile::Master/File[/opt/puppetlabs/server/share/puppet_enterprise/pe_modules]: Failed to generate additional resources using 'eval_generate': Error 400 on SERVER: Not authorized to call search on /file_metadata/pe_modules with {:rest=>"pe_modules", :links=>"manage", :recurse=>true, :source_permissions=>"ignore", :checksum_type=>"md5"}
Error: /Stage[main]/Puppet_enterprise::Profile::Master/File[/opt/puppetlabs/server/share/puppet_enterprise/pe_modules]: Could not evaluate: Could not retrieve file metadata for puppet:///pe_modules: Error 400 on SERVER: Not authorized to call find on /file_metadata/pe_modules with {:rest=>"pe_modules", :links=>"manage", :checksum_type=>"md5", :source_permissions=>"ignore"}
Notice: /Stage[main]/Puppet_enterprise::Profile::Master/File[/opt/puppetlabs/server/share/puppet_enterprise/pe_modules/install.sh]: Dependency File[/opt/puppetlabs/server/share/puppet_enterprise/pe_modules] has failures: true
Warning: /Stage[main]/Puppet_enterprise::Profile::Master/File[/opt/puppetlabs/server/share/puppet_enterprise/pe_modules/install.sh]: Skipping because of failed dependencies
Notice: /Stage[main]/Puppet_enterprise::Profile::Master/Exec[Extract PE Modules]: Dependency File[/opt/puppetlabs/server/share/puppet_enterprise/pe_modules] has failures: true
Warning: /Stage[main]/Puppet_enterprise::Profile::Master/Exec[Extract PE Modules]: Skipping because of failed dependencies
Notice: Applied catalog in 6.48 seconds

On cm2 I see these in the puppetserver.log:
2016-07-23 08:55:27,429 ERROR [qtp609620733-294] [puppet-server] Puppet Not authorized to call find on /file_metadata/pe_modules with {:rest=>"pe_modules", :links=>"manage", :checksum_type=>"md5", :source_permissions=>"ignore"}
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:308:in `check_authorization'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:324:in `prepare'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:184:in `find'

And matching errors in puppetserver-access.log:
[IP address] - - [23/Jul/2016:08:55:25 +0000] "GET /puppet/v3/file_metadata/modules/pe_repo/GPG-KEY-puppetlabs?environment=production&links=manage&checksum_type=md5&source_permissions=ignore HTTP/1.1" 200 259 "-" "Ruby" 13
[IP address] - - [23/Jul/2016:08:55:27 +0000] "GET /puppet/v3/file_metadatas/pe_modules?environment=production&links=manage&recurse=true&source_permissions=ignore&checksum_type=md5 HTTP/1.1" 400 173 "-" "Ruby" 16  <<-- here
[IP address] - - [23/Jul/2016:08:55:27 +0000] "GET /puppet/v3/file_metadata/pe_modules ...
(more)
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2016-07-25 05:01:59 -0500

Kevin Corcoran gravatar image

I wanted to repoint the agents on the infra servers to the new loadbalanced compile master address.

Why? As far as I know, agents on the infra nodes need to run against the MoM for PE to work. I wouldn't be surprised if this was an unsupported use-case and perhaps even something that just won't work.

edit flag offensive delete link more

Comments

Hi Kevin - thanks for having a look. I did wonder the same thing, but wasn't able to find a definitive statement either way. Mostly it was for completeness, and it kind of felt like it 'should' work, but happy to stand corrected! As you say, seems to be necessary so will leave as it is. Thanks.

gd gravatar imagegd ( 2016-07-28 01:22:27 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2016-07-23 08:42:13 -0500

Seen: 246 times

Last updated: Jul 25 '16