Authorization Management w/out Chef Manage


#1

I heard through the grape vine that Chef Manage will be going away in the future. There are some obvious reasons why some of the functionality in Chef Manage should go away. However my question pertains specifically to the authorization management activities that are exposed in the GUI there.

In other words if I wanted to leverage another utility to manage authorization management functions exposed via Chef Manage, such as ‘Groups’ and ‘Global Permissions’, how would I go about doing this today without Chef Manage? I’ve looked at several knife commands and cannot find any equivalent functionality. I see basic user and organization commands, but nothing that goes into this level of depth.


#2

You can use the knife-acl commands to manipulate ACLs, though be careful since it does contain more footguns (I intentionally hid a bunch of options in Manage to try and prevent bricking your server).


#3

Thanks. So is this knife-acl plugin a strategic replacement for the equivalent functionality in Chef Manage or is there going to be something introduced that is more natively integrated into the product once Chef Manage is deprecated?


#4

The functionality itself is part of chef-server, Manage just acts like any old client but it’s limited in what it can do very purposefully. There is work to align some of these things but manipulating the RBAC is in the “advanced” user territory hence why we provide knife-acl but also have warnings around it’s use as you can easily brick a chef-server.

Nothing else will replace it as such so for now, knife-acl is the answer.


#5

Thanks for this.

I understand that the underlying functionality we are discussing is controlled by Chef Server ultimately; I was referring to the client access points for managing this data. It seems today that Chef Manage is the only tool available today to do this that ships as part of the Chef toolset (licensing required, notwithstanding). Thus, I was looking more for what tools can/will replace this functionality once Chef Manage ultimately does go away. Based on you reply, it seems that knife-acl is that strategic replacement, for the RBAC management component at least - this is good to know.

As for the ‘bricking the server’ issue: are there controls that can be baked into the tool to prevent someone from doing this? Perhaps controls that require someone to type ‘yes’ at a minimum, or a ‘whatif’ scenario that will report the end results but without actually making the changes. Also, are these ‘bricking’ concerns also valid with Chef Manage today, or are they specific to knife-acl?


#6

The bricking concerns are mostly related to knife-acl, at least I’ve never seen Manage brick a server as discussed above we tried to take away fatal footguns in that use case. With knife-acl it’s “what you see is what you get” in both good and bad ways - you ultimately have the power to craft complex RBAC controls at very granular levels but on the same token can easily do something unintended. knife-acl is freely available, however we have not (yet) put it in the ChefDK because it’s not going to be needed in general use by the bulk of users and so we’ve felt it safest to be something users installed manually.

As with many power tools, there isn’t a great way for the tool to determine intent - it rather critically relies on the user understanding what they are doing. The readme includes several resources to better understand the permissions https://github.com/chef/knife-acl#description

There is other work happening/planned across products with regard to AuthN and AuthZ but I am not sure how/where this intersects with the chef-server permissions just yet.


#7

Thanks.

…we have not (yet) put it in the ChefDK because it’s not going to be needed in general use by the bulk of users and so we’ve felt it safest to be something users installed manually.

I assume that this statement will change once Chef Manage is closer to deprecation, unless another means to manage these authorization settings is provided at that time.

Obviously the ability to sufficiently manage who has access to our Chef Server infrastructure is going to be very important to our organization and I imagine everyone else who deploys Chef, so I for one will certainly continue to keep an eye on this space.

Thanks again for this information.