Admin permissions on chef-server:4000


#1

Hi,

we have a successfully experimenting with chef-server + clients setup,
but still cannot figure out the permission settings.

The problem is that when you go to you http://chef-server.example.com:4000
within the browser and log in using OpenID (using any external
identity provider), you always get admin permissions.

We are running chef on a EC2 + external chef-server (+ monitoring etc)
hybrid network, without any VPN, and wanted to run chef-server on a
public interface.

From what I can see we could restrict access to the chef-server,
either by setting up a VPN network, or by limiting access in any other
way. But perhaps there is a better way? Is it documented?

Thanks,
Michal


Michal Frackowiak
http://michalfrackowiak.com


#2

Hiya!

You could for a start reverse proxy into the chef-server and restrict
particular URL’s with HTTP basic or otherwise authentication.

opscode/master currently has the functionality to restrict permissions
to specific openID’s and specific openID relaying parties @ http://github.com/opscode/chef/blob/34bc1e8280c63931b50dbb42ebb27fdbfe1f97c1/chef-server-slice/app/controllers/openid_consumer.rb#L115

You may wish to build 0.6.0 gems and roll that out.

Regards,

AJ

On 16/03/2009, at 9:27 PM, Michal Frackowiak wrote:

Hi,

we have a successfully experimenting with chef-server + clients
setup, but still cannot figure out the permission settings.

The problem is that when you go to you http://chef-server.example.com:4000
within the browser and log in using OpenID (using any external
identity provider), you always get admin permissions.

We are running chef on a EC2 + external chef-server (+ monitoring
etc) hybrid network, without any VPN, and wanted to run chef-server
on a public interface.

From what I can see we could restrict access to the chef-server,
either by setting up a VPN network, or by limiting access in any
other way. But perhaps there is a better way? Is it documented?

Thanks,
Michal


Michal Frackowiak
http://michalfrackowiak.com


#3

I meant to put up instructions for using apache’s htaccess and proxypass on
the opscode wiki.
As thats what I did.

Perhaps I’ll do that today, I have my notes and such.

first enable mod proxy with a2enmod proxy
then edit proxy.conf as follows

#turning ProxyRequests on and allowing proxying from all may allow #spammers to use your proxy to send email.
    ProxyRequests Off
    ProxyVia Full

    <Proxy 127.0.0.1:80>
          #  AddDefaultCharset off
            Order deny,allow
            Deny from all
            Allow from localhost

    </Proxy>

and then in your sites enabled.

AuthName "Chef-Server access"
AuthType Basic
AuthName "Password Required"
AuthUserFile /root/password.file
Require valid-user

ProxyPass http://localhost:4000/
ProxyPassReverse http://localhost:4000/
ProxyPass http://localhost:4001/
ProxyPassReverse http://localhost:4001/

-Aric

On Mon, 16 Mar 2009 21:34:58 +1300, AJ Christensen aj@junglist.gen.nz
wrote:

Hiya!

You could for a start reverse proxy into the chef-server and restrict
particular URL’s with HTTP basic or otherwise authentication.

opscode/master currently has the functionality to restrict permissions
to specific openID’s and specific openID relaying parties @

You may wish to build 0.6.0 gems and roll that out.

Regards,

AJ

On 16/03/2009, at 9:27 PM, Michal Frackowiak wrote:

Hi,

we have a successfully experimenting with chef-server + clients
setup, but still cannot figure out the permission settings.

The problem is that when you go to you
http://chef-server.example.com:4000
within the browser and log in using OpenID (using any external
identity provider), you always get admin permissions.

We are running chef on a EC2 + external chef-server (+ monitoring
etc) hybrid network, without any VPN, and wanted to run chef-server
on a public interface.

From what I can see we could restrict access to the chef-server,
either by setting up a VPN network, or by limiting access in any
other way. But perhaps there is a better way? Is it documented?

Thanks,
Michal


Michal Frackowiak
http://michalfrackowiak.com


#4

OK, so do you think this would work as a general-purpose security
measure, for both chef-clients and admin access?

  1. Set up a proxy server with basic auth + ssl (nginx or apache),
    passing to chef-server:4000 and 4001
  2. Set up clients with
    registration_url "https://user:password@proxied-chef-server:2000"
    openid_url “https://user:password@proxied-chef-server:2001
  3. use https://proxied-chef-server:2000 for web ui access too

This way you could have secure access without setting up VPN
configuration. And, you could safely run chef between networks. Would
this work with the OpenID authentication? (Would be nice to know
before this is not going to work before we actually start
experimenting).
Are there any reasons NOT to do this?

Thanks,
Michal

On Mar 16, 2009, at 3:16 PM, Aric Gardner wrote:

I meant to put up instructions for using apache’s htaccess and
proxypass on
the opscode wiki.
As thats what I did.

Perhaps I’ll do that today, I have my notes and such.

first enable mod proxy with a2enmod proxy
then edit proxy.conf as follows

#turning ProxyRequests on and allowing proxying from all may allow #spammers to use your proxy to send email.
   ProxyRequests Off
   ProxyVia Full

   <Proxy 127.0.0.1:80>
         #  AddDefaultCharset off
           Order deny,allow
           Deny from all
           Allow from localhost

   </Proxy>

and then in your sites enabled.

AuthName "Chef-Server access"
AuthType Basic
AuthName "Password Required"
AuthUserFile /root/password.file
Require valid-user

ProxyPass http://localhost:4000/
ProxyPassReverse http://localhost:4000/
ProxyPass http://localhost:4001/
ProxyPassReverse http://localhost:4001/

-Aric

On Mon, 16 Mar 2009 21:34:58 +1300, AJ Christensen
aj@junglist.gen.nz
wrote:

Hiya!

You could for a start reverse proxy into the chef-server and restrict
particular URL’s with HTTP basic or otherwise authentication.

opscode/master currently has the functionality to restrict
permissions
to specific openID’s and specific openID relaying parties @

http://github.com/opscode/chef/blob/34bc1e8280c63931b50dbb42ebb27fdbfe1f97c1/chef-server-slice/app/controllers/openid_consumer.rb#L115

You may wish to build 0.6.0 gems and roll that out.

Regards,

AJ

On 16/03/2009, at 9:27 PM, Michal Frackowiak wrote:

Hi,

we have a successfully experimenting with chef-server + clients
setup, but still cannot figure out the permission settings.

The problem is that when you go to you
http://chef-server.example.com:4000
within the browser and log in using OpenID (using any external
identity provider), you always get admin permissions.

We are running chef on a EC2 + external chef-server (+ monitoring
etc) hybrid network, without any VPN, and wanted to run chef-server
on a public interface.

From what I can see we could restrict access to the chef-server,
either by setting up a VPN network, or by limiting access in any
other way. But perhaps there is a better way? Is it documented?

Thanks,
Michal


Michal Frackowiak
http://michalfrackowiak.com


Michal Frackowiak
http://michalfrackowiak.com


#5

On Tue, Mar 17, 2009 at 3:11 AM, Michal Frackowiak michalf@wikidot.com wrote:

OK, so do you think this would work as a general-purpose security measure,
for both chef-clients and admin access?

  1. Set up a proxy server with basic auth + ssl (nginx or apache), passing to
    chef-server:4000 and 4001
  2. Set up clients with
    registration_url "https://user:password@proxied-chef-server:2000"
    openid_url “https://user:password@proxied-chef-server:2001
  3. use https://proxied-chef-server:2000 for web ui access too

Currently, the REST client in Chef does not support HTTP Basic auth.
I’m in the middle of refactoring Chef to use a rest-client, which will
enable this behavior. It’ll be in the next Chef release.

Adam


Opscode, Inc.
Adam Jacob, CTO
T: (206) 508-4759 E: adam@opscode.com


#6

On Tue, Mar 17, 2009 at 3:11 AM, Michal Frackowiak michalf@wikidot.com wrote:

  1. Set up a proxy server with basic auth + ssl (nginx or apache), passing to
    chef-server:4000 and 4001
  2. Set up clients with
    registration_url "https://user:password@proxied-chef-server:2000"
    openid_url “https://user:password@proxied-chef-server:2001
  3. use https://proxied-chef-server:2000 for web ui access too

The current HEAD does support SSL client certificates, though - so you
should be able to set that up as an alternative mechanism.

Adam


Opscode, Inc.
Adam Jacob, CTO
T: (206) 508-4759 E: adam@opscode.com