Here are the steps required to prep a puppet-controlled computer to properly use a USB stick.

  1. For each user, make a directory in /media/, for instance, /media/xf06bm for the xf06bm user. Make sure the permissions are 755.  If needed, do chmod 755 /media/xf06bm. This is probably the only important step in this whole process.
  2. Make sure that permissions for the first several entries in /usr/share/polkit-1/actions/org.freedesktop.UDisks2.policy are completely permissive.  That is, the allow_any, allow_inactive, and allow_active parameters should all be set to yes for at least the first 4 actions listed in that file.  Note that the filename might be all lowercase, i.e. "...udisks2..".
  3. Puppet installs the usbmount package, which includes the file /lib/udev/rules.d/usbmount.rules. This is intended as a way of helping the udev system do the right thing with a stick insertion or removal.  It is unnecessary.  It will fail to do the right thing on these puppet-controlled machines. I chose to remove this functionality by commenting out each line in the /lib/udev/rules.d/usbmount.rules file. This does not remove the package, just disables its functionality.  It doesn't seem to be necessary to disable usbmount, but it seems like a good idea.
  4. If you monitor /var/log/syslog, you will see this error message:
│Dec 27 15:15:54 xf06bm-ws1 dbus-daemon[624]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service' requested by ':1.689' (uid=108 pid=4198 comm="/usr/lib/colord/colord-sane ")                       │
│Dec 27 15:15:54 xf06bm-ws1 dbus-daemon[624]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service not found.                                                                           │
│Dec 27 15:15:56 xf06bm-ws1 dbus-daemon[624]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service' requested by ':1.690' (uid=108 pid=4198 comm="/usr/lib/colord/colord-sane ")                       │
│Dec 27 15:15:56 xf06bm-ws1 dbus-daemon[624]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service not found.                                                                           │

This message can be made to go away by doing sudo systemctl start avahi-daemon.service.  This certainly makes the error message go away, but it doesn't last.  Eventually, the avahi-daemon service will stop and the message will return.

Finally, it was helpful to understand what usbmount was doing to slightly modify the /usr/share/usbmount/usbmount script by adding the line

log info "DEVNAME is $DEVNAME"

at line 90.  This allowed me to understand how this script was probing the partition table of the stick being inserted.  Of course, if you don't use usbmount, then this doesn't much help!