Admin permissions on chef-server:4000

Michal_Frackowiak · March 16, 2009, 8:27am

Hi,

we have a successfully experimenting with chef-server + clients setup,
but still cannot figure out the permission settings.

The problem is that when you go to you http://chef-server.example.com:4000
within the browser and log in using OpenID (using any external
identity provider), you always get admin permissions.

We are running chef on a EC2 + external chef-server (+ monitoring etc)
hybrid network, without any VPN, and wanted to run chef-server on a
public interface.

From what I can see we could restrict access to the chef-server,
either by setting up a VPN network, or by limiting access in any other
way. But perhaps there is a better way? Is it documented?

Thanks,
Michal

Michal Frackowiak
http://michalfrackowiak.com

AJ_Christensen · March 16, 2009, 8:34am

Hiya!

You could for a start reverse proxy into the chef-server and restrict
particular URL's with HTTP basic or otherwise authentication.

opscode/master currently has the functionality to restrict permissions
to specific openID's and specific openID relaying parties @ chef/chef-server-slice/app/controllers/openid_consumer.rb at 34bc1e8280c63931b50dbb42ebb27fdbfe1f97c1 · chef/chef · GitHub

You may wish to build 0.6.0 gems and roll that out.

Regards,

AJ

On 16/03/2009, at 9:27 PM, Michal Frackowiak wrote:

Hi,

we have a successfully experimenting with chef-server + clients
setup, but still cannot figure out the permission settings.

The problem is that when you go to you http://chef-server.example.com:4000
within the browser and log in using OpenID (using any external
identity provider), you always get admin permissions.

We are running chef on a EC2 + external chef-server (+ monitoring
etc) hybrid network, without any VPN, and wanted to run chef-server
on a public interface.

From what I can see we could restrict access to the chef-server,
either by setting up a VPN network, or by limiting access in any
other way. But perhaps there is a better way? Is it documented?

Thanks,
Michal

Michal Frackowiak
http://michalfrackowiak.com

Aric_Gardner · March 16, 2009, 2:16pm

I meant to put up instructions for using apache's htaccess and proxypass on
the opscode wiki.
As thats what I did.

Perhaps I'll do that today, I have my notes and such.

first enable mod proxy with a2enmod proxy
then edit proxy.conf as follows

#turning ProxyRequests on and allowing proxying from all may allow #spammers to use your proxy to send email.

    ProxyRequests Off
    ProxyVia Full

    <Proxy 127.0.0.1:80>
          #  AddDefaultCharset off
            Order deny,allow
            Deny from all
            Allow from localhost

    </Proxy>

and then in your sites enabled.

AuthName "Chef-Server access"
AuthType Basic
AuthName "Password Required"
AuthUserFile /root/password.file
Require valid-user

ProxyPass http://localhost:4000/
ProxyPassReverse http://localhost:4000/
ProxyPass http://localhost:4001/
ProxyPassReverse http://localhost:4001/

-Aric

On Mon, 16 Mar 2009 21:34:58 +1300, AJ Christensen aj@junglist.gen.nz
wrote:

Hiya!

You could for a start reverse proxy into the chef-server and restrict
particular URL's with HTTP basic or otherwise authentication.

opscode/master currently has the functionality to restrict permissions
to specific openID's and specific openID relaying parties @

github.com

chef/chef/blob/34bc1e8280c63931b50dbb42ebb27fdbfe1f97c1/chef-server-slice/app/controllers/openid_consumer.rb#L115


      
            session[:openid] = nil    if session.has_key?(:openid)
            session[:level] = nil     if session.has_key?(:level)
            session[:node_name] = nil if session.has_key?(:node_name)
            redirect slice_url(:top)
          end
          
          private
          
          # Returns true if the openid is at a valid provider, based on whether :openid_providers is
          # defined.  Raises an exception if it is not an allowed provider.
          def check_valid_openid_provider(openid)
            if Chef::Config[:openid_providers]
              fp = Chef::Config[:openid_providers].detect do |p|
                case openid
                when /^https?:\/\/#{p}/, /^#{p}/
                  true
                else
                  false
                end
              end
              unless fp

You may wish to build 0.6.0 gems and roll that out.

Regards,

AJ

On 16/03/2009, at 9:27 PM, Michal Frackowiak wrote:

Hi,

we have a successfully experimenting with chef-server + clients
setup, but still cannot figure out the permission settings.

The problem is that when you go to you
http://chef-server.example.com:4000
within the browser and log in using OpenID (using any external
identity provider), you always get admin permissions.

We are running chef on a EC2 + external chef-server (+ monitoring
etc) hybrid network, without any VPN, and wanted to run chef-server
on a public interface.

From what I can see we could restrict access to the chef-server,
either by setting up a VPN network, or by limiting access in any
other way. But perhaps there is a better way? Is it documented?

Thanks,
Michal

Michal Frackowiak
http://michalfrackowiak.com

Michal_Frackowiak · March 17, 2009, 10:11am

OK, so do you think this would work as a general-purpose security
measure, for both chef-clients and admin access?

Set up a proxy server with basic auth + ssl (nginx or apache),
passing to chef-server:4000 and 4001
Set up clients with
registration_url "https://user:password@proxied-chef-server:2000"
openid_url "https://user:password@proxied-chef-server:2001"
...
use https://proxied-chef-server:2000 for web ui access too

This way you could have secure access without setting up VPN
configuration. And, you could safely run chef between networks. Would
this work with the OpenID authentication? (Would be nice to know
before this is not going to work before we actually start
experimenting).
Are there any reasons NOT to do this?

Thanks,
Michal

On Mar 16, 2009, at 3:16 PM, Aric Gardner wrote:

I meant to put up instructions for using apache's htaccess and
proxypass on
the opscode wiki.
As thats what I did.

Perhaps I'll do that today, I have my notes and such.

first enable mod proxy with a2enmod proxy
then edit proxy.conf as follows
#turning ProxyRequests on and allowing proxying from all may allow #spammers to use your proxy to send email.
   ProxyRequests Off
   ProxyVia Full

   <Proxy 127.0.0.1:80>
         #  AddDefaultCharset off
           Order deny,allow
           Deny from all
           Allow from localhost

   </Proxy>
and then in your sites enabled.

AuthName "Chef-Server access"
AuthType Basic
AuthName "Password Required"
AuthUserFile /root/password.file
Require valid-user

ProxyPass http://localhost:4000/
ProxyPassReverse http://localhost:4000/
ProxyPass http://localhost:4001/
ProxyPassReverse http://localhost:4001/

-Aric

On Mon, 16 Mar 2009 21:34:58 +1300, AJ Christensen
aj@junglist.gen.nz
wrote:

Hiya!

You could for a start reverse proxy into the chef-server and restrict
particular URL's with HTTP basic or otherwise authentication.

opscode/master currently has the functionality to restrict
permissions
to specific openID's and specific openID relaying parties @

chef/chef-server-slice/app/controllers/openid_consumer.rb at 34bc1e8280c63931b50dbb42ebb27fdbfe1f97c1 · chef/chef · GitHub

You may wish to build 0.6.0 gems and roll that out.

Regards,

AJ

On 16/03/2009, at 9:27 PM, Michal Frackowiak wrote:

Hi,

we have a successfully experimenting with chef-server + clients
setup, but still cannot figure out the permission settings.

The problem is that when you go to you
http://chef-server.example.com:4000
within the browser and log in using OpenID (using any external
identity provider), you always get admin permissions.

We are running chef on a EC2 + external chef-server (+ monitoring
etc) hybrid network, without any VPN, and wanted to run chef-server
on a public interface.

From what I can see we could restrict access to the chef-server,
either by setting up a VPN network, or by limiting access in any
other way. But perhaps there is a better way? Is it documented?

Thanks,
Michal

Michal Frackowiak
http://michalfrackowiak.com

Michal Frackowiak
http://michalfrackowiak.com

Adam_Jacob · March 17, 2009, 5:45pm

On Tue, Mar 17, 2009 at 3:11 AM, Michal Frackowiak michalf@wikidot.com wrote:

OK, so do you think this would work as a general-purpose security measure,
for both chef-clients and admin access?

Set up a proxy server with basic auth + ssl (nginx or apache), passing to
chef-server:4000 and 4001

Set up clients with
registration_url "https://user:password@proxied-chef-server:2000"
openid_url "https://user:password@proxied-chef-server:2001"
...

use https://proxied-chef-server:2000 for web ui access too

Currently, the REST client in Chef does not support HTTP Basic auth.
I'm in the middle of refactoring Chef to use a rest-client, which will
enable this behavior. It'll be in the next Chef release.

Adam

--
Opscode, Inc.
Adam Jacob, CTO
T: (206) 508-4759 E: adam@opscode.com

Adam_Jacob · March 17, 2009, 5:49pm

On Tue, Mar 17, 2009 at 3:11 AM, Michal Frackowiak michalf@wikidot.com wrote:

Set up a proxy server with basic auth + ssl (nginx or apache), passing to
chef-server:4000 and 4001

Set up clients with
registration_url "https://user:password@proxied-chef-server:2000"
openid_url "https://user:password@proxied-chef-server:2001"
...

use https://proxied-chef-server:2000 for web ui access too

The current HEAD does support SSL client certificates, though - so you
should be able to set that up as an alternative mechanism.

Adam

--
Opscode, Inc.
Adam Jacob, CTO
T: (206) 508-4759 E: adam@opscode.com

Topic		Replies	Views
Securing Web Interface Chef Infra (archive)	2	194	June 10, 2009
Permissions management tutorial -- starting out Chef Infra (archive)	3	519	June 20, 2017
Client privileges Chef Infra (archive)	6	301	June 29, 2011
Chef role based access control for standalone server Chef Infra (archive)	2	433	October 13, 2018
Chef authentication Chef Infra (archive)	0	209	April 26, 2009

Admin permissions on chef-server:4000

Related Topics