Groups
endpoints
The groups
endpoints create, read, update, and delete
groups.
Each group belongs to an environment, applies classes (which can have class parameters) to nodes within the group, and match nodes based on the group's rules. Because groups are central to the classification process, there is a lot you can do with this endpoint.
GET /v1/groups
Retrieves a list of all node groups in the node classifier.
Request format
cert="$(puppet config print hostcert)"
cacert="$(puppet config print localcacert)"
key="$(puppet config print hostprivkey)"
uri="https://$(puppet config print server):4433/classifier-api/v1/groups"
curl --header "$type_header" --cert "$cert" --cacert "$cacert" --key "$key" "$uri"
auth_header="X-Authentication: $(puppet-access show)"
uri="https://$(puppet config print server):4433/classifier-api/v1/groups"
curl --silent --header "$auth_header" "$uri" | jq -M -r '.[] | "\(.name) \(.id)"'
GET /v1/groups
request:All Nodes 00000000-0000-4000-8000-000000000000
PE Master 07002034-c20f-44de-97d2-f72d03e481fb
Development one-time run exception 124a11d8-b912-45f0-9a6d-5ddd81aaa0ed
PE PuppetDB 289f176b-1c30-4e85-ad07-131e55f29354
PE Database 28b78e75-3b7e-464e-8f02-29a80b88fe02
Development environment 388f2eea-2f91-4ed7-8f84-93d8bf115ec5
PE Orchestrator 3f490039-395f-4c87-8dfb-f72d03e481fb
Production environment 43d438de-78da-4186-9405-e3f743989a5c
All Environments 6a10e0eb-ab6b-4ba7-b637-28fdf91ed659
PE Compiler 9cab6f77-f0cf-4c0e-b2ce-6aa6a2489c71
PE Infrastructure 9cd74d7e-6fb7-4d17-9cd8-e3f743989a5c
PE Patch Management aae9e4cd-fed5-4f07-8149-98a699a3b692
PE Certificate Authority d4065370-0cab-43cf-a4fa-93d8bf115ec5
PE Agent d4cf6659-6fc8-4419-b2a2-28fdf91jh9607
PE Console de97e269-4a9e-4f3d-a931-39993b0ef3f6
PE Infrastructure Agent e46543a6-61c6-49f2-865f-28fdf91ed659
Response format
Key | Definition |
---|---|
name |
The name of the node group, as a string. |
id |
The node group's ID, which is a string containing a type-4
(random) UUID. The regular expression used to validate node group UUIDs is |
description |
An optional key containing an arbitrary string describing the node group. |
environment |
The name of the node group's environment, as a string. This indirectly defines which classes are available to declare on the node group, and this is the environment that nodes in this node group run in. |
environment_trumps |
This is a Boolean that
changes the response to conflicting environment classifications. By default, if a node
belongs to multiple groups with different environments, a
classification-conflict error is returned. If the |
parent |
The ID of the node group's parent, as a string. The only node group
without a parent is the All Nodes group, which is the root of the
node group hierarchy. The root group, All Nodes, always has the
lowest-possible random UUID, which is:
|
rule |
A Boolean condition on node properties. When a node's properties satisfy this condition, it's classified into the node group. |
classes |
An object that defines both the classes consumed by nodes in this node group and any non-default values for their parameters. The keys of the object are the class names, and the values are objects describing the parameters. The parameter objects' keys are parameter names, and the values are what the node group sets for that parameter, which is always a string. |
config_data |
An object similar to the classes
object that specifies parameters that are applied to classes if the class
is assigned in the classifier or in Puppet
code. The keys of the object are the class names, and the values are
objects describing the parameters. The parameter objects’ keys are
parameter names, and the values are what the group sets for that
parameter, which is always a string. This feature is enabled or disabled
through the classifier::allow-config-data setting. When
set to false , this key is
omitted. |
deleted |
An object similar
to the |
variables |
An object that defines the values of any top-level variables set by the node group. The object is a mapping between variable names and their values (which can be any JSON value). |
last_edited |
The most recent time at which a
user committed changes to a node group. This is a time stamp in ISO 8601 format, |
serial_number |
A number assigned to a node group. This number is incremented each
time changes to a group are committed. |
{
"environment_trumps": false,
"parent": "00000000-0000-4000-8000-000000000000",
"name": "My Nodes",
"variables": {},
"id": "085e2797-32f3-4920-9412-8e9decf4ef65",
"environment": "production",
"classes": {}
}
{
"name": "Webservers",
"id": "fc500c43-5065-469b-91fc-37ed0e500e81",
"last_edited": "2018-02-20T02:36:17.776Z",
"serial_number": 16,
"environment": "production",
"description": "This group captures configuration relevant to all web-facing production webservers, regardless of location.",
"parent": "00000000-0000-4000-8000-000000000000",
"rule": ["and", ["~", ["trusted", "certname"], "www"],
[">=", ["fact", "total_ram"], "512"]],
"classes": {
"apache": {
"serveradmin": "bofh@travaglia.net",
"keepalive_timeout": "5"
}
},
"config_data": {
"puppet_enterprise::profile::console": {"certname": "console.example.com"},
"puppet_enterprise::profile::puppetdb": {"listen_address": "0.0.0.0"}
},
"variables": {
"ntp_servers": ["0.us.pool.ntp.org", "1.us.pool.ntp.org", "2.us.pool.ntp.org"]
}
}
{
"name": "Spaceship",
"id": "fc500c43-5065-469b-91fc-37ed0e500e81",
"last_edited": "2018-03-13T21:37:03.608Z",
"serial_number": 42,
"environment": "space",
"parent": "00000000-0000-4000-8000-000000000000",
"rule": ["=", ["fact", "is_spaceship"], "true"],
"classes": {
"payload": {
"type": "cubesat",
"count": "8",
"mass": "10.64"
},
"rocket": {
"stages": "3"
}
},
"deleted": {
"payload": {"puppetlabs.classifier/deleted": true},
"rocket": {
"puppetlabs.classifier/deleted": false,
"stages": {
"puppetlabs.classifier/deleted": true,
"value": "3"
}
}
},
"variables": {}
}
In the above example, the entire payload
class has been
deleted, because the puppetlabs.classifier/deleted
key maps to
true
. This is in contrast to the rocket
class,
which has had only its stages
parameter deleted.POST /v1/groups
Create a node group with a randomly-generated ID.
Request format
Key | Definition |
---|---|
name |
The name of the node group, as a string. |
environment |
The
name of the node group's environment. This is optional. If omitted, the default value is
|
environment_trumps |
When a node belongs to two or more groups, this Boolean indicates whether this node
group's environment overrides environments defined by other node groups. This is
optional. If omitted, the default value is |
description |
A string describing the node group. This is optional. If omitted, the node group has no description. |
parent |
The ID of the node group's parent. This is required. |
rule |
The condition that must be satisfied for a node to be classified into this node group. For rule formatting assistance, refer to Forming node classifier API requests. |
variables |
An optional object that defines the names and values
of any top-level variables set by the node group. Supply key-value pairs of variable
names and corresponding variable values. Variable values can be any type of JSON value.
The |
classes |
A required object that
defines the classes to be used by nodes in the node group. The |
config_data |
An optional object that defines the class parameters
to be used by nodes in the group. Its structure is the same as the
classes object. No configuration data
is stored if you supply a config_data object that only
contains a class name, such as "config_data":
{"qux":{}} .
Note: This feature is enabled by the
classifier::allow-config-data setting. When set to
false , supplying the config_data object triggers a
400 response. |
type_header='Content-Type: application/json'
cert="$(puppet config print hostcert)"
cacert="$(puppet config print localcacert)"
key="$(puppet config print hostprivkey)"
uri="https://$(puppet config print server):4433/classifier-api/v1/groups"
data='{ "name": "My Nodes",
"parent": "00000000-0000-4000-8000-000000000000",
"environment": "production",
"classes": {}
}'
curl --header "$type_header" --cert "$cert" --cacert "$cacert" --key "$key" --request POST "$uri" --data "$data"
Response format
If the node group was successfully created, the service returns a 303 See Other response with a URI path you can use with the GET /v1/groups/<id> endpoint to retrieve data for the new node group.
Error responses
kind
key. There are several errors you might
encounter with the POST /v1/groups
endpoint:Response code | Message | Description |
---|---|---|
400 Bad Request | schema-violation |
Required keys are missing or the value of any supplied key does not match the required type. |
400 Bad Request | malformed-request |
The request's body could not be parsed as JSON. |
422 Unprocessable Entity | uniqueness-violation |
The request content violates uniqueness constraints. For example, each node group name must be unique within distinct environments. The error response describes the invalid field. |
422 Unprocessable Entity | missing-referents |
Classes or class parameters declared on the node group do not exist
in the specified environment. The error response lists the missing
classes or parameters. The details
contains an array of objects, where each object uses these keys to
describe a single missing referent:
|
422 Unprocessable Entity | missing-parent |
The specified parent node group does not exist. |
422 Unprocessable Entity | inheritance-cycle |
The request causes an inheritance cycle. The error response contains a description of the cycle, including a list of the node group names, where each node group is followed by its parent until the first node group is repeated. |
GET /v1/groups/<id>
Retrieve a specific node group.
Request format
GET https://localhost:4433/classifier-api/v1/groups/085e2797-32f3-4920-9412-8e9decf4ef65
You can also include the inherited query parameter in the request. If this parameter is set to any value besides 0 or false, the response includes the classes, class parameters, configuration data, and variables that each group inherits from its ancestor groups.
Response format
The successful response is the same as the GET /v1/groups endpoint, except that the response describes only a single node group, rather than all node groups.
Error responses
If there is an error, Node classifier API errors provide error information in the
kind
key.
If the endpoint can't find a node group with the specified ID, the server returns a
404 Not Found or malformed-UUID
response.
PUT /v1/groups/<id>
Create a node group with a specific ID.
Request format
When Forming node classifier API requests to this endpoint, the URI path must
contain the ID you want to assign to the new group. The ID must be a valid type-4
(random) UUID. The regular expression used to validate node group UUIDs is [0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}
.
It is possible to overwrite an existing node group with a new node group definition that contains deleted classes or parameters.
Key | Definition |
---|---|
name |
The name of the node group, as a string. |
environment |
The
name of the node group's environment. This is optional. If omitted, the default value is
|
environment_trumps |
When a node belongs to two or more groups, this Boolean indicates whether this node
group's environment overrides environments defined by other node groups. This is
optional. If omitted, the default value is |
description |
A string describing the node group. This is optional. If omitted, the node group has no description. |
parent |
The ID of the node group's parent. This is required. |
rule |
The condition that must be satisfied for a node to be classified into this node group. For rule formatting assistance, refer to Forming node classifier API requests. |
variables |
An optional object that defines the names and values
of any top-level variables set by the node group. Supply key-value pairs of variable
names and corresponding variable values. Variable values can be any type of JSON value.
The |
classes |
A required object that
defines the classes to be used by nodes in the node group. The |
Response format
If the node group is successfully created, the service returns a 201 Created response and a JSON body describing the node group.
If the node group already exists, and the existing group is identical to the node group described in the request, then server takes no action, returns a 200 OK response, and a JSON body describing the node group.
Error responses
If there is an error, Node classifier API errors provide error
information in the kind
key, and are similar to the POST /v1/groups error responses. However, 422 responses
to POST
requests can include errors caused by a node
group’s children, but a node group being created with a PUT
request cannot have any children.
POST /v1/groups/<id>
Edit the name, environment, parent node group, rules, classes, class parameters, configuration data, and variables for a specific node group.
Request format
When Forming node classifier API requests to this endpoint, the body must be a JSON object describing the changes you want to make to the node group. For a complete list of keys you can include in the request, refer to POST /v1/groups.
If your request includes classes
, config_data
, variables
, and rule
keys, these values are merged with the node group's existing
values. Any keys in the resulting combined object with a null value are removed. To remove
classes, class parameters, configuration data, variables, or rules from the node group, set
the key to null in the change request.
If the request supplies a rule
key that is set to a new
value or nil
, the rule is updated wholesale or removed from
the group, depending on the supplied value.
If the request contains the name
, environment
, description
, or parent
keys, then these values replace the old values
entirely.
The serial_number
key is optional. If your request includes
a serial_number
that does not match the group's current
serial number, the service returns a 409 Conflict response. To bypass this
check, omit the serial_number
key from the request.
The following code examples show a node group, the change request, and the end result (where the changes are merged into the node group's settings).
{
"name": "Webservers",
"id": "58463036-0efa-4365-b367-b5401c0711d3",
"environment": "staging",
"parent": "00000000-0000-4000-8000-000000000000",
"rule": ["~", ["trusted", "certname"], "www"],
"classes": {
"apache": {
"serveradmin": "bofh@travaglia.net",
"keepalive_timeout": 5
},
"ssl": {
"keystore": "/etc/ssl/keystore"
}
},
"variables": {
"ntp_servers": ["0.us.pool.ntp.org", "1.us.pool.ntp.org", "2.us.pool.ntp.org"]
}
}
The change request:{
"name": "Production Webservers",
"id": "58463036-0efa-4365-b367-b5401c0711d3",
"environment": "production",
"parent": "01522c99-627c-4a07-b28e-a25dd563d756",
"classes": {
"apache": {
"serveradmin": "roy@reynholm.co.uk",
"keepalive_timeout": null
},
"ssl": null
},
"variables": {
"dns_servers": ["dns.reynholm.co.uk"]
}
}
The updated group settings:{
"name": "Production Webservers",
"id": "58463036-0efa-4365-b367-b5401c0711d3",
"environment": "production",
"parent": "01522c99-627c-4a07-b28e-a25dd563d756",
"rule": ["~", ["trusted", "certname"], "www"],
"classes": {
"apache": {
"serveradmin": "roy@reynholm.co.uk"
}
},
"variables": {
"ntp_servers": ["0.us.pool.ntp.org", "1.us.pool.ntp.org", "2.us.pool.ntp.org"],
"dns_servers": ["dns.reynholm.co.uk"]
}
}
In the above example, the ssl
class was deleted
because its entire object was mapped to null
, whereas, for
the apache
class, only the keepalive_timeout
parameter was deleted.If the node group definition contains classes and parameters that have been deleted, it is still possible to update the node group with those parameters and classes. Updates that don’t increase the number of errors associated with a node group are allowed.
POST
/v1/groups/<id>
endpoint:type_header='Content-Type: application/json'
auth_header="X-Authentication: $(puppet-access show)"
uri="https://$(puppet config print server):4433/classifier-api/v1/groups/085e2797-32f3-4920-9412-8e9decf4ef65"
data='{"classes":
{"apache": {
"serveradmin": "bob@example.com",
"keepalive_timeout": null}
}
}'
curl --insecure --header "$type_header" --header "$auth_header" --request POST "$uri" --data "$data"
Error responses
If there is an error, Node classifier API errors provide error information
in the kind
key and are similar to the POST /v1/groups
error responses.
You can't edit the root All Nodes node group’s rule
. Attempting o do so returns a 422 Unprocessable
Entity response.
DELETE /v1/groups/<id>
Use the /v1/groups/\<id\>
endpoint to delete the node group with
the given ID.
Request format
DELETE https://localhost:4433/classifier-api/v1/groups/085e2797-32f3-4920-9412-8e9decf4ef65
You can use GET /v1/groups to get node group IDs.
Response format
If the node group is successfully deleted, the sever returns a 204 No Content response.
Error responses
If there is an error, Node classifier API errors provide error
information in the kind
key.
If the endpoint can't find a node group with the specified ID, the server returns a
404 Not Found or malformed-UUID
response.
You can't delete node groups that have children. If you attempt to delete a node group with children, the server returns a 422 Unprocessable Entity children-present response. To resolve the error, you must either delete the children or reassign the children to a new parent (such as with the POST /v1/groups/<id> endpoint).
POST /v1/groups/<id>/pin
Pin specific nodes to a node group.
Request format
POST https://localhost:4433/classifier-api/v1/groups/085e2797-32f3-4920-9412-8e9decf4ef65/pin
- Append the node names to the URI path. If you are pinning more than one node, use
encoded comma separation (
%2C
) between node names. For example, this request pins the nodes namedfoo
,bar
, andbaz
to the group:POST https://localhost:4433/classifier-api/v1/groups/085e2797-32f3-4920-9412-8e9decf4ef65/pin?nodes=foo%2Cbar%2Cbaz
- Supply the node names in the request body. For a single node, you can supply this
in a simple JSON object. For multiple nodes, supply the node names in an array.
For example, this JSON body pins a single
node:
And this body pins three nodes:{"nodes": ["foo"]}
{"nodes": ["foo", "bar", "baz"]}
While it's easier to append the nodes to the end of the URI path, if you want to pin a lot of nodes at once, the URI path might get truncated. Strings are truncated if they exceed 8,000 characters. In this case, you have to supply the nodes in a JSON body, which can be many megabytes in size.
POST
/v1/groups/<id>/pin
endpoint. If necessary, replace
/etc/puppetlabs/puppet/ssl/certs/ca.pem
with the correct path to
your CA certificate
file:type_header='Content-Type: application/json'
auth_header="X-Authentication: $(puppet-access show)"
uri="https://$(puppet config print server):4433/classifier-api/v1/groups/085e2797-32f3-4920-9412-8e9decf4ef65/pin"
data='{ "nodes": ["example-to-pin.example.vm"] }'
curl --cacert "/etc/puppetlabs/puppet/ssl/certs/ca.pem" --header "$type_header" --header "$auth_header" --request POST "$uri" --data "$data"
Response format
If pinning is successful, the service returns a 204 No Content response with an empty body.
If the request contained a node that is already pinned to the group, the node's pinned status is unchanged –- The service only pins nodes that aren't already pinned to the specified node group.
Error responses
If there is an error, Node classifier API errors provide error
information in the kind
key.
If your request doesn't specify any nodes to pin, the service returns a 400 Malformed Request response.
If the request body is invalid JSON, is missing the nodes
key, or
contains any keys other than nodes
, the service returns
a 400 Malformed Request response.
POST /v1/groups/<id>/unpin
Unpin specific nodes from a node group.
Request format
POST https://localhost:4433/classifier-api/v1/groups/085e2797-32f3-4920-9412-8e9decf4ef65/unpin
- Append the node names to the URI path. If you are unpinning more than one node,
use encoded comma separation (
%2C
) between node names. For example, this request unpins the nodes namedfoo
,bar
, andbaz
from the group:POST https://localhost:4433/classifier-api/v1/groups/085e2797-32f3-4920-9412-8e9decf4ef65/unpin?nodes=foo%2Cbar%2Cbaz
- Supply the node names in the request body. For a single node, you can supply this
in a simple JSON object. For multiple nodes, supply the node names in an array.
For example, this JSON body unpins a single
node:
And this body unpins three nodes:{"nodes": ["foo"]}
{"nodes": ["foo", "bar", "baz"]}
While it's easier to append the nodes to the end of the URI path, if you want to unpin a lot of nodes at once, the URI path might get truncated. Strings are truncated if they exceed 8,000 characters. In this case, you have to supply the nodes in a JSON body, which can be many megabytes in size.
POST
/v1/groups/<id>/pin
endpoint:type_header='Content-Type: application/json'
auth_header="X-Authentication: $(puppet-access show)"
uri="https://$(puppet config print server):4433/classifier-api/v1/groups/085e2797-32f3-4920-9412-8e9decf4ef65/unpin"
data='{ "nodes": ["example-to-unpin"] }'
curl --header "$type_header" --header "$auth_header" --request POST "$uri" --data "$data"
Response format
If unpinning is successful, the service returns a 204 No Content response with an empty body.
If the request contained a node that is was not pinned to the group, service ignores that node.
Error responses
If there is an error, Node classifier API errors provide error
information in the kind
key.
If your request doesn't specify any nodes to unpin, the service returns a 400 Malformed Request response.
If the request body is invalid JSON, is missing the nodes
key, or contains any keys other than nodes
, the service returns a 400 Malformed Request
response.
GET /v1/groups/<id>/rules
Resolve the rules for a specific node group, and then translate those rules to work with the PuppetDB nodes and inventory endpoints.
Request format
GET https://localhost:4433/classifier-api/v1/groups/085e2797-32f3-4920-9412-8e9decf4ef65/rules
Response format
Key | Definition |
---|---|
rule |
The rules for the group in classifier format. |
rule_with_inherited |
The inherited rules (including the rules for this group) in classifier format |
translated |
An object containing two children (nodes_query_format and
inventory_query_format ), which represent each of the inherited
rules translated into a different format. |
nodes_query_format |
The optimized translated inherited group in the format that works with the nodes endpoint in PuppetDB. |
inventory_query_format |
The optimized translated inherited group in the format that works with the inventory endpoint in PuppetDB. |
{
"rule": [
"=",
[
"fact",
"is_spaceship"
],
"true"
],
"rule_with_inherited": [
"and",
[
"=",
[
"fact",
"is_spaceship"
],
"true"
],
[
"~",
"name",
".*"
]
],
"translated": {
"nodes_query_format": [
"or",
[
"=",
[
"fact",
"is_spaceship"
],
"true"
],
[
"=",
[
"fact",
"is_spaceship",
true
]
]
],
"inventory_query_format": [
"or",
[
"=",
"facts.is_spaceship",
"true"
],
[
"=",
"facts.is_spaceship",
true
]
]
}
}
Error responses
If there is an error, Node classifier API errors provide error information
in the kind
key.
If the endpoint can't find a node group with the specified ID, the server returns a
404 Not Found or malformed-UUID
response.