Server Admins Grant More Flexible Permissions Around User Management
// Chef Blog
Previously, there were only two types of users, regular and super. The
server-admins group adds another possibility. It represents a third class of users who need permissions that are useful for the day-to-day administration of a Chef Server, but who don't need to be superusers.
Members of the
server-admins group have CRUD (create, read, update, delete) access on all users except the superuser. In other words, there are expanded options for managing users and the
knife user command regains its usefulness. The members of the group are controlled through a new set of
Let's dive in.
Return to Form for
Let's say you have a Chef server with some users:
$ chef-server-ctl user-list pivotal # superuser user1 user2 user3 user4 user5
(In this example, we will use knife as
user1.) Before we make any changes, let's use
knife to try to do some basic user management (make sure you're using a recent version of knife and your
chef_server_url points at your server root and not an organization):
$ knife user list -c ~/.chef/user1.rb ERROR: You authenticated successfully as user1 but you are not authorized for this action Response: Missing read permission
By default, non-superusers only have permissions that pertain to themselves because users are global to orgs. In general, this division gives a nice separation of concerns but it's not very flexible.
user1 is just a normal user without any special permissions or modifications, but we want
user1 to be able to make changes to other users. This is where
server-admins comes in.
Log in to the Chef Server and run:
$ chef-server-ctl grant-server-admin-permissions user1 User user1 was added to server-admins. This user can now list, read, and create users (even for orgs they are not members of) for this Chef Server.
user1 tries the knife command again:
$ knife user list -c ~/.chef/user1.rb pivotal user1 user2 user3 user4 user5
user1 is a member of
knife user subcommand is now functional in Chef Server 12! Our
user1 can even create, edit, and delete other users via knife. For example:
$ knife user edit user2 -c ~/.chef/user1.rb ... (editor pops up) Saved user[user2].
server-admins don't have access to the superuser (pivotal) so they can't break the Chef Server (beyond deleting some important user)!
$ knife user delete pivotal -c ~/.chef/user1.rb ERROR: You authenticated successfully as user1 but you are not authorized for this action Response: missing read permission
As you can see, the new group is very useful in the day-to-day management of a Chef Server.
If we want to remove the
user1 special privileges, we simply log on to the Chef Server and run:
$ chef-server-ctl list-server-admins pivotal user1 $ chef-server-ctl remove-server-admin-permissions user1 User user1 was removed from server-admins. This user can no longer list, read, and create users for this Chef Server except for where they have default permissions (such as within an org). $ chef-server-ctl list-server-admins pivotal
Now, if user1 tries to use
$ knife user list -c ~/.chef/user1.rb ERROR: You authenticated successfully as user1 but you are not authorized for this action Response: missing read permission
Long term, we're planning to expand the permissions to
server-admins, so keep that in mind as you add users to that group. So far, the only plans are to add organization CRUD permissions but we'll see what the future holds. This is the first step towards more flexible, powerful permissions in the Chef server!
For a more technical overview of
server-admins, see the documentation here.
Chef Server 12.4.1 can be downloaded here.
Shared via my feedly reader
Sent from my iPhone