Thursday, February 5, 2015

Chef Server 12.0.3 Released [feedly]

Chef Server 12.0.3 Released
// Chef Blog

Today we released Chef Server 12.0.3. The biggest component of this release is an early implementation of multikey authentication and chef-server-ctl commands you can use to build your own key rotation! We will be expanding this feature to have full-fledged API support in the near future, but you can get cracking with this now if you want.

The latest packages can be downloaded from

Keys To The Kingdom

This release supports storing and managing multiple keys for users and clients. You can authenticate as a user or client with any valid key for said agent. For a given request, the server will simply check the request against all valid keys for the user or client. This allows the server to know if a request is coming from a user or client by the same name, since a key that authenticates correctly indicates the appropriate user or client, slaying the long-standing user-client ambiguity bug.

The result is that you can now set up working key rotation: add a second key for a user or clients, deploy it in place of the old one wherever the keys lives, and then delete the old key. All of your keys will have a name to help you distinguish between them.

Additionally, you can now set expiration dates for your keys. This is optional. If a key has passed its expiration date, then it will simply be excluded by the server when populating the list of valid keys for a user or client. If a key doesn't have an expiration date, then it will be valid to authenticate against until it is removed.

We are currently working on full API support for all of this, but for now, you can list, add, and delete keys for users and clients via chef-server-ctl. See the docs for additional instructions.

Cool Story, But Will This Break Me?

API Backwards Compatible

This is fully backwards compatible with the current API. If you only want to use one key, you can continue to update your user and client keys via POSTs and PUTs to the API in the same way you currently do. GETs on users and clients will still return a single key as long as you use the existing user and client API endpoints.

How this now works under the hood is the key with the key_name default will be what gets set and returned via the clients and users APIs. POSTs and PUTs to those API endpoints will simply update the default key for that user or client, so sticking to the existing users and clients API endpoints will give you the functionality you are used to.

For now, it is recommended that you do not delete the default key if you use Chef Server addons (see below).

Addon Compatibility

If you delete the default key or add additional keys, Chef Reporting and Chef Push will have issues. Chef Reporting and Chef Push do not yet have support for authenticating against the non-default key. Multikey support for Reporting and Push is in the works with the extended API.

Also In This Release


  • James FitzGibbon added support to use X-Forwarded-For header instead of remote address in nginx logs when nginx['log_x_forwarded_for'] is set to true.

  • James Le Cuirot added initial systemd support.

  • We fixed an issue with a ffi-yajl warning being constantly displayed on every chef-server-ctl command that was executed.

  • Ensure nginx restarts on frontends in HA installs after lua-related changes.

Bug Fixes

  • Log an error and exit when DRBD mount attempts are exhausted rather than entering an infinite loop.

  • Search results for arrays previously would match values from all precedence levels.

  • Nginx logs rotated as opscode user.

  • Fix installation errors caused by PERL5LIB environment variable.

  • Correctly restart nginx on lua-related configuration changes.

  • chef-server-ctl now returns non-zero exit codes for errors during user and organization-related commands.

  • Use -D for --download-only option in chef12-upgrade-download command, avoiding option name conflict.

  • User-Client request ambiguity removed.

Commitment To Getting You Value Faster

While this feature does not yet have full API support, you can manage multiple keys and get working key rotation with this release. Instead of making you wait for all the bells and whistles, we are giving you the minimum viable feature that you can use to get started with, which is something we are committed to improving on. Enjoy and happy rotating!


Shared via my feedly reader

Sent from my iPhone