Monday, February 22, 2016

Server Admins Grant More Flexible Permissions Around User Management [feedly]



----
Server Admins Grant More Flexible Permissions Around User Management
// Chef Blog

super-admin-01The new global group, server-admins, was released in Chef Server 12.4.1. This group improves your ability to customize permissions that affect user management in your Chef Server.

Previously, there were only two types of users, regular and super. The server-admins group adds another possibility. It represents a third class of users who need permissions that are useful for the day-to-day administration of a Chef Server, but who don't need to be superusers.

Members of the server-admins group have CRUD (create, read, update, delete) access on all users except the superuser. In other words, there are expanded options for managing users and the knife user command regains its usefulness. The members of the group are controlled through a new set of chef-server-ctl commands.

Let's dive in.

Return to Form for knife user

Let's say you have a Chef server with some users:

$ chef-server-ctl user-list  pivotal # superuser  user1  user2  user3  user4  user5  

(In this example, we will use knife as user1.) Before we make any changes, let's use knife to try to do some basic user management (make sure you're using a recent version of knife and your chef_server_url points at your server root and not an organization):

$ knife user list -c ~/.chef/user1.rb  ERROR: You authenticated successfully as user1 but you are not authorized for this action  Response: Missing read permission  

By default, non-superusers only have permissions that pertain to themselves because users are global to orgs. In general, this division gives a nice separation of concerns but it's not very flexible.

Right now, user1 is just a normal user without any special permissions or modifications, but we want user1 to be able to make changes to other users. This is where server-admins comes in.

Log in to the Chef Server and run:

$ chef-server-ctl grant-server-admin-permissions user1  User user1 was added to server-admins.   This user can now list, read, and create users (even for orgs they are not members of) for this Chef Server.  

Now, user1 tries the knife command again:

$ knife user list -c ~/.chef/user1.rb  pivotal  user1  user2  user3  user4  user5  

Because user1 is a member of server-admins, the knife user subcommand is now functional in Chef Server 12! Our user1 can even create, edit, and delete other users via knife. For example:

$ knife user edit user2 -c ~/.chef/user1.rb  ... (editor pops up)  Saved user[user2].  

Remember, though, server-admins don't have access to the superuser (pivotal) so they can't break the Chef Server (beyond deleting some important user)!

$ knife user delete pivotal -c ~/.chef/user1.rb  ERROR: You authenticated successfully as user1 but you are not authorized for this action  Response:  missing read permission  

As you can see, the new group is very useful in the day-to-day management of a Chef Server.

If we want to remove the user1 special privileges, we simply log on to the Chef Server and run:

$ chef-server-ctl list-server-admins  pivotal  user1  $ chef-server-ctl remove-server-admin-permissions user1  User user1 was removed from server-admins.   This user can no longer list, read, and create users for this Chef Server except for where they have default permissions (such as within an org).  $ chef-server-ctl list-server-admins  pivotal  

Now, if user1 tries to use knife user:

$ knife user list -c ~/.chef/user1.rb  ERROR: You authenticated successfully as user1 but you are not authorized for this action  Response:  missing read permission  

Bigger Plans

Long term, we're planning to expand the permissions to server-admins, so keep that in mind as you add users to that group. So far, the only plans are to add organization CRUD permissions but we'll see what the future holds. This is the first step towards more flexible, powerful permissions in the Chef server!

For a more technical overview of server-admins, see the documentation here.

Chef Server 12.4.1 can be downloaded here.


----

Shared via my feedly reader


Sent from my iPhone