----
Security Update: Hosted Chef
// Chef Blog
Later today, we will be rolling out an update to Hosted Chef that may impact your future use of data bag items in cookbooks. This change will remove the Chef Client's default permissions to 'create', 'update' and 'delete' data bags in newly-created organizations.
This means that if you create an organization today and proceed to add a recipe that modifies data bag content, any converge that includes that recipe will fail with a 403.
Why Change This?
Until now, Hosted Chef has defaulted to allowing Chef Client runs on a node to create, update and delete data bag contents. This presents a security risk, in that a bad actor with access to any managed node in your organization can potentially modify data bag contents with malicious intent.
While we understand the need for client runs to update data bags in some cases, we hope to increase awareness of the potential risk by requiring customers to explicitly enable this ability for their new organization(s).
We are not modifying existing organizations in order to prevent any impact to customers who are following this usage pattern.
What Do I Need To Do?
- If you do not use recipes that modify data bags, you do not need to take action. However, we recommend that you remove these permissions from your existing data bag default permissions and existing data bags.
- If you currently use recipes that modify data bags, you can continue to do so in your existing organization(s) without taking any action.
- If you will use recipes that modify data bags in organizations you create on or after Nov 10, 2014, you will need to modify default data bag ACLs of any new organizations you create that will use those recipes.
- In order to make any change to ACLs (as detailed below) administrative permissions are required.
Disable Chef Client C/U/D on new data bags
Using knife edit
Follow these steps to disable Create/Update/Delete of data bags from chef client in your existing organizations.
knife edit /acls/containers/data.json
Under the sections create, update, and delete, remove clients from the groups list, then save the file and close the editor.
Here is an example of an edited ACL document with only Read permissions enabled for clients, disabling Create, Update, and Delete. Note that this may differ for your organization if you have previously customized ACLs:
{ "create": { "actors": [ "pivotal" ], "groups": [ "admins", "users" ] }, "read": { "actors": [ "pivotal" ], "groups": [ "admins", "clients", "users" ] }, "update": { "actors": [ "pivotal" ], "groups": [ "admins", "users" ] }, "delete": { "actors": [ "pivotal" ], "groups": [ "admins", "users" ] }, "grant": { "actors": [ "pivotal" ], "groups": [ "admins" ] } }
Using knife-acl plugin
You can install the knife-acl plugin via gem install knife-acl, then modify ACLs as follows:
knife acl remove containers data update group clients
knife acl remove containers data delete group clients
knife acl remove containers data create group clients
Enable Chef Client C/U/D on new data bags
Follow these steps to enable Create/Update/Delete of data bags from chef client in any organizations created on or after Nov 10, 2014.
Using knife edit
knife edit /acls/containers/data.json
Under the section update, add clients to the groups list, then save the file and close the editor.
If you have cookbooks that are creating or deleting data bags or data you will also need to add clients to the groups list of both update and delete.
Here is an example of an edited ACL document with Create, Update, and Delete permissions enabled for clients. Note that this may differ for your organization if you have previously customized ACLs:
{ "create": {
"actors": [ "pivotal" ],
"groups": [ "admins", "clients", "users" ]
}, "read": {
"actors": [ "pivotal" ],
"groups": [ "admins", "clients", "users" ]
}, "update": {
"actors": [ "pivotal" ],
"groups": [ "admins", "clients", "users" ]
}, "delete": {
"actors": [ "pivotal" ],
"groups": [ "admins", "clients", "users" ]
}, "grant": {
"actors": [ "pivotal" ],
"groups": [ "admins" ]
}
}
Using knife-acl plugin
knife acl add containers data update group clients
If you have cookbooks that are creating or deleting data bags or data bag items, you will also need to add 'create' and 'delete' permissions respectively:
knife acl add containers data create group clients
knife acl add containers data delete group clients
Using manage.opscode.com
At this time, manage.opscode.com only supports removing the 'create' and 'read' privileges. Because of this, the necessary controls to enable/disable update and delete are not available.
Enabling/disabling C/U/D access on existing data bags
The changes above will modify the default permissions applied to any new data bags.
If you wish to modify all existing data bags, the following bash snippet gives an example using the knife acl permission: for bag in $(knife data bag list); do echo "Updating permissons on $bag." knife acl remove data $bag update group clients knife acl remove data $bag delete group clients knife acl remove data $bag create group clients done
You can find the full gist here.
Other Options
Note that Chef Server's RBAC controls allow you more fine-grained control than globally enabling/disabling these activities. For example you could create a group privileged-clients, set that group up with necessary CRUD access to the data container, and add those clients who require this access to it.
In this way, you could support a default behavior of disallowing updates from clients, while still permitting some clients access to do so. You can further extend this to only permit updates to specific data bags.
Chef Server Impacts
- This change will be made the default behavior beginning in Chef Server 12 RC6
- This behavior is the existing default in OSC 11.
- This behavior will not be changed at this time in Enterprise Chef 11.
- This behavior will not be changed in Private Chef 1.4
----
Shared via my feedly reader
No comments:
Post a Comment