This is an UNOFFICIAL and EXPERIMENTAL knife plugin to support basic user/group operations for Hosted Chef. All commands assume a working knife config for an org on Hosted Chef.
You can use these commands to manage a read-only group. To do so:
-
Run
knife actor map
to create/update a local actor map fileactor-map.yaml
:knife actor map
-
In the webUI, create a group that will hold read-only users.
-
For each user you wish to have read only access as defined by permissions given to the "read-only" group do the following:
knife group add actor read-only USER knife group remove actor users USER
This adds the user to the 'read-only' group and removes them from the 'users' group which has more permissions by default (users are added to 'users' when added to an org).
This knife plugin is packaged as a gem. To install it, enter the following:
gem install knife-acl
# or if the gem has yet to be published to Rubygems
gem install knife-acl-x.y.z.gem
Show a list of users associated with your org
Create a local map file actor-map.yaml" that maps users to their User Specific Association Group (USAG) and stores a list of clients. USAGs are an implementation detail that will likely be hidden or otherwise change in the future. USAGs are currently the correct way to add/remove users to/from groups in an org.
This command creates a local cache of the user to USAG mapping as well as a local cache of clients and is used by the following commands:
knife group show
,knife group add actor
, andknife group remove actor
.
List groups in the org.
Show the details membership details for GROUP
. If you have run
knife actor map
, the user map file will be used to annotate USAGs so
you can see what user they represent.
Add ACTOR to GROUP. ACTOR can be a user name or a client
name. Requires an up-to-date actor map as created by knife actor map
. The user's USAG will be added as a subgroup of GROUP if ACTOR
is a user.
Remove ACTOR from GROUP. Requires an up-to-date actor map as created by
knife actor map
. The user's USAG will be removed from the subgroups
of GROUP if ACTOR is a user.
Shows the ACL for the specified object. Objects are identified by the combination of their type and name.
Valid OBJECT_TYPE
's are
- clients
- groups
- containers
- data
- nodes
- roles
- cookbooks
- environments
For example, use the following command to obtain the ACL for a node named "web.example.com":
knife acl show nodes web.example.com
Add the group or client with NAME to the PERM access control entry of
the object. Objects are specified by the combination of
their type and name. See the knife acl show
documentation above for
the permitted types.
Valid PERM
s are:
- create
- read
- update
- delete
- grant
For example, use the following command to give the superuser group the ability to delete the node called "api.example.com":
knife acl add node api.exmaple.com delete group superusers
Remove group or client with NAME from the PERM access control entry of
the specified object. Objects are specified by the combination of
their type and name. See the knife acl show
documentation above for
the permitted types. See the knife acl add
documentation abouve for
the permitted PERMS
s.
For example, use the following command to remove the superuser group's ability to delete the node called "api.example.com":
knife acl remove node api.exmaple.com delete group superusers
- Feature: create/delete groups
- Feature: build group membership graph
- Remove duplication in commands
- Staleness detector for actor map
- Improve error messages when actor map is missing
- Don't save group if it will be a no-op