Chef 12 with Vault and non-admins users
Closed this issue · 2 comments
tiago-cruz-movile commented
Hello,
There is some way to give non-admins users permission to use 'knife user show'?
I tried to
$ knife acl add groups users read group vault-admins
And put my users on 'vault-admins' group, but does not work :(
Valid OBJECT_TYPE's are
clients
groups
containers
data
nodes
roles
cookbooks
environments
The problem is: knife-vault needs to get public key of the users to generate the hash.
If the guy is a non-admin, he only can generate for his own, and I can't see the key:
$ knife vault show reliability portability-credentials
ERROR: ChefVault::Exceptions::SecretDecryption: reliability/portability-credentials is not encrypted with your public key. Contact an administrator of the vault item to encrypt for you!
And the guy who did, can't generate to me because the can't see my private key using 'knife user show tiago_cruz'
So, how can I give him access to my private_key?
Thanks a lot!
$ knife user show tiago_cruz -VV
DEBUG: Chef::HTTP calling Chef::HTTP::JSONInput#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::JSONToModelOutput#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::CookieManager#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::Decompressor#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::Authenticator#handle_request
DEBUG: Signing the request as jaum
DEBUG: Chef::HTTP calling Chef::HTTP::RemoteRequestID#handle_request
DEBUG: Chef::HTTP calling Chef::HTTP::ValidateContentLength#handle_request
DEBUG: Initiating GET to https://chef-host/organizations/organization/users/truta
DEBUG: ---- HTTP Request Header Data: ----
DEBUG: Accept: application/json
DEBUG: Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
DEBUG: X-OPS-SIGN: algorithm=sha1;version=1.0;
DEBUG: X-OPS-USERID: jaum
DEBUG: X-OPS-TIMESTAMP: 2015-01-22T19:42:02Z
DEBUG: X-OPS-CONTENT-HASH: 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
DEBUG: X-OPS-AUTHORIZATION-1: GsGVBloLX88PUr+OygGRf/JfqenGh2ZHvGS5LXEIehw/+Xu8Xgi5QYGK9lDs
DEBUG: X-OPS-AUTHORIZATION-2: lQ6NGPt4AoiglpTuQUJnyP8rhPLEeNlMmh3hxBbGMlWHzTOqWsHvPLlbAg6e
DEBUG: X-OPS-AUTHORIZATION-3: H7uWraSg882f26xXDkFJOhu/loBD3jZ51eCsyEJwJkkPhlOG8yVmNrgzn2cV
DEBUG: X-OPS-AUTHORIZATION-4: sKvwKHJwAu5UUGHrNcyKeH1SPlWYHZFhL0lEMb6lwDxZA7O5nKJu9RE/nEPc
DEBUG: X-OPS-AUTHORIZATION-5: FKYframg47s+uPYjrb9MjH5AjtAK3DBA1dZxXrTFTEeB2rtWNjrSAVNE0O5I
DEBUG: X-OPS-AUTHORIZATION-6: GlqUUlBuXa0j/Er52tIMJBl0Fav4cwGK5tNx1DniNQ==
DEBUG: HOST: chef-host:443
DEBUG: X-REMOTE-REQUEST-ID: 1fb2cc5a-25a4-483a-b4e5-adaedb01d80a
DEBUG: ---- End HTTP Request Header Data ----
DEBUG: ---- HTTP Status and Header Data: ----
DEBUG: HTTP 1.1 403 Forbidden
DEBUG: server: ngx_openresty/1.4.3.6
DEBUG: date: Thu, 22 Jan 2015 19:42:01 GMT
DEBUG: content-length: 37
DEBUG: connection: close
DEBUG: x-ops-api-info: flavor=cs;version=12.0.0;oc_erchef=0.29.4
DEBUG: ---- End HTTP Status/Header Data ----
DEBUG: Chef::HTTP calling Chef::HTTP::ValidateContentLength#handle_response
DEBUG: Content-Length validated correctly.
DEBUG: Chef::HTTP calling Chef::HTTP::RemoteRequestID#handle_response
DEBUG: Chef::HTTP calling Chef::HTTP::Authenticator#handle_response
DEBUG: Chef::HTTP calling Chef::HTTP::Decompressor#handle_response
DEBUG: Chef::HTTP calling Chef::HTTP::CookieManager#handle_response
DEBUG: Chef::HTTP calling Chef::HTTP::JSONToModelOutput#handle_response
DEBUG: Expected JSON response, but got content-type ''
DEBUG: Chef::HTTP calling Chef::HTTP::JSONInput#handle_response
INFO: HTTP Request Returned 403 Forbidden: error
/opt/chefdk/embedded/lib/ruby/2.1.0/net/http/response.rb:119:in `error!': 403 "Forbidden" (Net::HTTPServerException)
from /opt/chefdk/embedded/apps/chef/lib/chef/http.rb:145:in `request'
from /opt/chefdk/embedded/apps/chef/lib/chef/rest.rb:115:in `get'
from /opt/chefdk/embedded/apps/chef/lib/chef/user.rb:164:in `load'
from /opt/chefdk/embedded/apps/chef/lib/chef/knife/user_show.rb:43:in `run'
from /opt/chefdk/embedded/apps/chef/lib/chef/knife.rb:493:in `run_with_pretty_exceptions'
from /opt/chefdk/embedded/apps/chef/lib/chef/knife.rb:174:in `run'
from /opt/chefdk/embedded/apps/chef/lib/chef/application/knife.rb:139:in `run'
from /opt/chefdk/embedded/apps/chef/bin/knife:25:in `<top (required)>'
from /usr/bin/knife:33:in `load'
from /usr/bin/knife:33:in `<main>'
Thanks!!
jeremiahsnapp commented
Hello @tiago-cruz-movile, sorry for the late reply.
Unfortunately giving access to non-admins users is not an easy thing to do at this time in Chef Server 12. However, we are tracking this as a feature request in the following link.
Please feel free to comment in that issue and/or subscribe to it for notification of its progress.
tiago-cruz-movile commented
Solved using chef-server-core-12.2.0 👍