Admin client creation issue


#1

Hi all,

I am trying to create an admin client in a Hosted Chef environment, but it is
always created as a regular client.

I’ve been trying with the Server API, just copying the JSON example in the
wiki, tried also with knife, and tried to create a regular client and updating
it afterwards (using knife or the Server API), but the admin flag is never set.

I am trying with the following Server API request body, but it creates a
regular client: {“name”: “myclient”, “admin”: true}
Also tried a PUT once the client is created, but the client remains the same,
and the same result if I use knife.

Is there any way I could create an administrator client using the Server API?

Thanks in advance,

Ignasi


#2

Ignasi,
Authorization in Hosted Chef is quite different from the open source
version. In Hosted Chef, there are no “admin” clients, but there is a
finer grained permissions system and a difference between the default
rights of a “user” and a “client”. What exactly do you want to
accomplish? Perhaps it’s just as easily done with your user identity.
If you want to give a particular client broader permissions, take a
look at its settings in http://manage.opscode.com. Let me know if you
need more info, and come find us on IRC.

Cheers,
Chris

On Fri, Sep 9, 2011 at 7:13 AM, Ignasi Barrera ignasi.barrera@gmail.com wrote:

Hi all,

I am trying to create an admin client in a Hosted Chef environment, but it is
always created as a regular client.

I’ve been trying with the Server API, just copying the JSON example in the
wiki, tried also with knife, and tried to create a regular client and updating
it afterwards (using knife or the Server API), but the admin flag is never set.

I am trying with the following Server API request body, but it creates a
regular client: {“name”: “myclient”, “admin”: true}
Also tried a PUT once the client is created, but the client remains the same,
and the same result if I use knife.

Is there any way I could create an administrator client using the Server API?

Thanks in advance,

Ignasi


Christopher Brown, Chief Technical Officer, Opscode, Inc.
T: (425) 502-5522, E: cb@opscode.com
IRC, Github: skeptomai
Twitter: @skeptomai


#3

Hi,

The only thing I need is to create a client capable of updating the run list
of the different nodes using the API.

I started developing with a Hosted Chef environment (which is the main
target), and I don’t know if there is any way to set that permission
automatically (I’ve not found any documentation about the Opscode Platform
API, btw).

On the other hand, from what you say, I understand that the code I have
right now (create a client with the admin flag) should work with the open
source chef server, shouldn’t it?

Thank you,

Ignasi

On 9 September 2011 16:28, Christopher Brown cb@opscode.com wrote:

Ignasi,
Authorization in Hosted Chef is quite different from the open source
version. In Hosted Chef, there are no “admin” clients, but there is a
finer grained permissions system and a difference between the default
rights of a “user” and a “client”. What exactly do you want to
accomplish? Perhaps it’s just as easily done with your user identity.
If you want to give a particular client broader permissions, take a
look at its settings in http://manage.opscode.com. Let me know if you
need more info, and come find us on IRC.

Cheers,
Chris

On Fri, Sep 9, 2011 at 7:13 AM, Ignasi Barrera ignasi.barrera@gmail.com
wrote:

Hi all,

I am trying to create an admin client in a Hosted Chef environment, but
it is
always created as a regular client.

I’ve been trying with the Server API, just copying the JSON example in
the
wiki, tried also with knife, and tried to create a regular client and
updating
it afterwards (using knife or the Server API), but the admin flag is
never set.

I am trying with the following Server API request body, but it creates a
regular client: {“name”: “myclient”, “admin”: true}
Also tried a PUT once the client is created, but the client remains the
same,
and the same result if I use knife.

Is there any way I could create an administrator client using the Server
API?

Thanks in advance,

Ignasi


Christopher Brown, Chief Technical Officer, Opscode, Inc.
T: (425) 502-5522, E: cb@opscode.com
IRC, Github: skeptomai
Twitter: @skeptomai


#4

Ah, gotcha.
The default client permissions on Hosted Chef only allow that client
to update the node it’s associated with. That’s part of the security
design. You can alter a client to have broader permissions, but
that’s usually not a good idea. Users, however, have that permission
(update on all nodes) by default. And what you have should work on
the open source server as you said.

Take a look at these links:
http://wiki.opscode.com/display/chef/API+Clients
http://help.opscode.com/kb/knife/manage-api-clients-with-knife
http://help.opscode.com/kb/manage/managing-permissions

and let me know if that helps.

Cheers,
-Chris

On Fri, Sep 9, 2011 at 7:37 AM, Ignasi ignasi.barrera@gmail.com wrote:

Hi,
The only thing I need is to create a client capable of updating the run list
of the different nodes using the API.
I started developing with a Hosted Chef environment (which is the main
target), and I don’t know if there is any way to set that permission
automatically (I’ve not found any documentation about the Opscode Platform
API, btw).
On the other hand, from what you say, I understand that the code I have
right now (create a client with the admin flag) should work with the open
source chef server, shouldn’t it?

Thank you,
Ignasi

On 9 September 2011 16:28, Christopher Brown cb@opscode.com wrote:

Ignasi,
Authorization in Hosted Chef is quite different from the open source
version. In Hosted Chef, there are no “admin” clients, but there is a
finer grained permissions system and a difference between the default
rights of a “user” and a “client”. What exactly do you want to
accomplish? Perhaps it’s just as easily done with your user identity.
If you want to give a particular client broader permissions, take a
look at its settings in http://manage.opscode.com. Let me know if you
need more info, and come find us on IRC.

Cheers,
Chris

On Fri, Sep 9, 2011 at 7:13 AM, Ignasi Barrera ignasi.barrera@gmail.com
wrote:

Hi all,

I am trying to create an admin client in a Hosted Chef environment, but
it is
always created as a regular client.

I’ve been trying with the Server API, just copying the JSON example in
the
wiki, tried also with knife, and tried to create a regular client and
updating
it afterwards (using knife or the Server API), but the admin flag is
never set.

I am trying with the following Server API request body, but it creates a
regular client: {“name”: “myclient”, “admin”: true}
Also tried a PUT once the client is created, but the client remains the
same,
and the same result if I use knife.

Is there any way I could create an administrator client using the Server
API?

Thanks in advance,

Ignasi


Christopher Brown, Chief Technical Officer, Opscode, Inc.
T: (425) 502-5522, E: cb@opscode.com
IRC, Github: skeptomai
Twitter: @skeptomai


Christopher Brown, Chief Technical Officer, Opscode, Inc.
T: (425) 502-5522, E: cb@opscode.com
IRC, Github: skeptomai
Twitter: @skeptomai


#5

That was really helpful, now I understand.

Alghough it is not the recommended solution, is there any way, using the
API, to give a client in the Hosted Chef the rights to manage the run lists?
That client will be only a client, not associated to a node.

Which should be the best approach to that? Maybe I must add a restriction to
manually add the client to the “admin” group after creating it?

Thanks,

Ignasi

On 9 September 2011 16:55, Christopher Brown cb@opscode.com wrote:

Ah, gotcha.
The default client permissions on Hosted Chef only allow that client
to update the node it’s associated with. That’s part of the security
design. You can alter a client to have broader permissions, but
that’s usually not a good idea. Users, however, have that permission
(update on all nodes) by default. And what you have should work on
the open source server as you said.

Take a look at these links:
http://wiki.opscode.com/display/chef/API+Clients
http://help.opscode.com/kb/knife/manage-api-clients-with-knife
http://help.opscode.com/kb/manage/managing-permissions

and let me know if that helps.

Cheers,
-Chris

On Fri, Sep 9, 2011 at 7:37 AM, Ignasi ignasi.barrera@gmail.com wrote:

Hi,
The only thing I need is to create a client capable of updating the run
list
of the different nodes using the API.
I started developing with a Hosted Chef environment (which is the main
target), and I don’t know if there is any way to set that permission
automatically (I’ve not found any documentation about the Opscode
Platform
API, btw).
On the other hand, from what you say, I understand that the code I have
right now (create a client with the admin flag) should work with the open
source chef server, shouldn’t it?

Thank you,
Ignasi

On 9 September 2011 16:28, Christopher Brown cb@opscode.com wrote:

Ignasi,
Authorization in Hosted Chef is quite different from the open source
version. In Hosted Chef, there are no “admin” clients, but there is a
finer grained permissions system and a difference between the default
rights of a “user” and a “client”. What exactly do you want to
accomplish? Perhaps it’s just as easily done with your user identity.
If you want to give a particular client broader permissions, take a
look at its settings in http://manage.opscode.com. Let me know if you
need more info, and come find us on IRC.

Cheers,
Chris

On Fri, Sep 9, 2011 at 7:13 AM, Ignasi Barrera <
ignasi.barrera@gmail.com>

wrote:

Hi all,

I am trying to create an admin client in a Hosted Chef environment,
but

it is
always created as a regular client.

I’ve been trying with the Server API, just copying the JSON example in
the
wiki, tried also with knife, and tried to create a regular client and
updating
it afterwards (using knife or the Server API), but the admin flag is
never set.

I am trying with the following Server API request body, but it creates
a

regular client: {“name”: “myclient”, “admin”: true}
Also tried a PUT once the client is created, but the client remains
the

same,
and the same result if I use knife.

Is there any way I could create an administrator client using the
Server

API?

Thanks in advance,

Ignasi


Christopher Brown, Chief Technical Officer, Opscode, Inc.
T: (425) 502-5522, E: cb@opscode.com
IRC, Github: skeptomai
Twitter: @skeptomai


Christopher Brown, Chief Technical Officer, Opscode, Inc.
T: (425) 502-5522, E: cb@opscode.com
IRC, Github: skeptomai
Twitter: @skeptomai


#6

Manually adding the client to the admin group would definitely do the
trick. For most of the permissions operations, it’s easier to get in
done in the webui at manage.opscode.com than by the API at this point.
That will get better in the future.
Glad to hear this has been helpful.

Cheers,
-Chris

On Fri, Sep 9, 2011 at 8:34 AM, Ignasi ignasi.barrera@gmail.com wrote:

That was really helpful, now I understand.

Alghough it is not the recommended solution, is there any way, using the
API, to give a client in the Hosted Chef the rights to manage the run lists?
That client will be only a client, not associated to a node.
Which should be the best approach to that? Maybe I must add a restriction to
manually add the client to the “admin” group after creating it?

Thanks,
Ignasi

On 9 September 2011 16:55, Christopher Brown cb@opscode.com wrote:

Ah, gotcha.
The default client permissions on Hosted Chef only allow that client
to update the node it’s associated with. That’s part of the security
design. You can alter a client to have broader permissions, but
that’s usually not a good idea. Users, however, have that permission
(update on all nodes) by default. And what you have should work on
the open source server as you said.

Take a look at these links:
http://wiki.opscode.com/display/chef/API+Clients
http://help.opscode.com/kb/knife/manage-api-clients-with-knife
http://help.opscode.com/kb/manage/managing-permissions

and let me know if that helps.

Cheers,
-Chris

On Fri, Sep 9, 2011 at 7:37 AM, Ignasi ignasi.barrera@gmail.com wrote:

Hi,
The only thing I need is to create a client capable of updating the run
list
of the different nodes using the API.
I started developing with a Hosted Chef environment (which is the main
target), and I don’t know if there is any way to set that permission
automatically (I’ve not found any documentation about the Opscode
Platform
API, btw).
On the other hand, from what you say, I understand that the code I have
right now (create a client with the admin flag) should work with the
open
source chef server, shouldn’t it?

Thank you,
Ignasi

On 9 September 2011 16:28, Christopher Brown cb@opscode.com wrote:

Ignasi,
Authorization in Hosted Chef is quite different from the open source
version. In Hosted Chef, there are no “admin” clients, but there is a
finer grained permissions system and a difference between the default
rights of a “user” and a “client”. What exactly do you want to
accomplish? Perhaps it’s just as easily done with your user identity.
If you want to give a particular client broader permissions, take a
look at its settings in http://manage.opscode.com. Let me know if you
need more info, and come find us on IRC.

Cheers,
Chris

On Fri, Sep 9, 2011 at 7:13 AM, Ignasi Barrera
ignasi.barrera@gmail.com
wrote:

Hi all,

I am trying to create an admin client in a Hosted Chef environment,
but
it is
always created as a regular client.

I’ve been trying with the Server API, just copying the JSON example
in
the
wiki, tried also with knife, and tried to create a regular client and
updating
it afterwards (using knife or the Server API), but the admin flag is
never set.

I am trying with the following Server API request body, but it
creates a
regular client: {“name”: “myclient”, “admin”: true}
Also tried a PUT once the client is created, but the client remains
the
same,
and the same result if I use knife.

Is there any way I could create an administrator client using the
Server
API?

Thanks in advance,

Ignasi


Christopher Brown, Chief Technical Officer, Opscode, Inc.
T: (425) 502-5522, E: cb@opscode.com
IRC, Github: skeptomai
Twitter: @skeptomai


Christopher Brown, Chief Technical Officer, Opscode, Inc.
T: (425) 502-5522, E: cb@opscode.com
IRC, Github: skeptomai
Twitter: @skeptomai


Christopher Brown, Chief Technical Officer, Opscode, Inc.
T: (425) 502-5522, E: cb@opscode.com
IRC, Github: skeptomai
Twitter: @skeptomai


#7

Got it.

Thanks for your help!

Ignasi

On 9 September 2011 23:20, Christopher Brown cb@opscode.com wrote:

Manually adding the client to the admin group would definitely do the
trick. For most of the permissions operations, it’s easier to get in
done in the webui at manage.opscode.com than by the API at this point.
That will get better in the future.
Glad to hear this has been helpful.

Cheers,
-Chris

On Fri, Sep 9, 2011 at 8:34 AM, Ignasi ignasi.barrera@gmail.com wrote:

That was really helpful, now I understand.

Alghough it is not the recommended solution, is there any way, using the
API, to give a client in the Hosted Chef the rights to manage the run
lists?
That client will be only a client, not associated to a node.
Which should be the best approach to that? Maybe I must add a restriction
to
manually add the client to the “admin” group after creating it?

Thanks,
Ignasi

On 9 September 2011 16:55, Christopher Brown cb@opscode.com wrote:

Ah, gotcha.
The default client permissions on Hosted Chef only allow that client
to update the node it’s associated with. That’s part of the security
design. You can alter a client to have broader permissions, but
that’s usually not a good idea. Users, however, have that permission
(update on all nodes) by default. And what you have should work on
the open source server as you said.

Take a look at these links:
http://wiki.opscode.com/display/chef/API+Clients
http://help.opscode.com/kb/knife/manage-api-clients-with-knife
http://help.opscode.com/kb/manage/managing-permissions

and let me know if that helps.

Cheers,
-Chris

On Fri, Sep 9, 2011 at 7:37 AM, Ignasi ignasi.barrera@gmail.com
wrote:

Hi,
The only thing I need is to create a client capable of updating the
run

list
of the different nodes using the API.
I started developing with a Hosted Chef environment (which is the main
target), and I don’t know if there is any way to set that permission
automatically (I’ve not found any documentation about the Opscode
Platform
API, btw).
On the other hand, from what you say, I understand that the code I
have

right now (create a client with the admin flag) should work with the
open
source chef server, shouldn’t it?

Thank you,
Ignasi

On 9 September 2011 16:28, Christopher Brown cb@opscode.com wrote:

Ignasi,
Authorization in Hosted Chef is quite different from the open source
version. In Hosted Chef, there are no “admin” clients, but there is
a

finer grained permissions system and a difference between the default
rights of a “user” and a “client”. What exactly do you want to
accomplish? Perhaps it’s just as easily done with your user
identity.

If you want to give a particular client broader permissions, take a
look at its settings in http://manage.opscode.com. Let me know if
you

need more info, and come find us on IRC.

Cheers,
Chris

On Fri, Sep 9, 2011 at 7:13 AM, Ignasi Barrera
ignasi.barrera@gmail.com
wrote:

Hi all,

I am trying to create an admin client in a Hosted Chef environment,
but
it is
always created as a regular client.

I’ve been trying with the Server API, just copying the JSON example
in
the
wiki, tried also with knife, and tried to create a regular client
and

updating
it afterwards (using knife or the Server API), but the admin flag
is

never set.

I am trying with the following Server API request body, but it
creates a
regular client: {“name”: “myclient”, “admin”: true}
Also tried a PUT once the client is created, but the client remains
the
same,
and the same result if I use knife.

Is there any way I could create an administrator client using the
Server
API?

Thanks in advance,

Ignasi


Christopher Brown, Chief Technical Officer, Opscode, Inc.
T: (425) 502-5522, E: cb@opscode.com
IRC, Github: skeptomai
Twitter: @skeptomai


Christopher Brown, Chief Technical Officer, Opscode, Inc.
T: (425) 502-5522, E: cb@opscode.com
IRC, Github: skeptomai
Twitter: @skeptomai


Christopher Brown, Chief Technical Officer, Opscode, Inc.
T: (425) 502-5522, E: cb@opscode.com
IRC, Github: skeptomai
Twitter: @skeptomai