Chef 12 user and org creation automation


#1

I have the need to automate the user and organization creation on Chef 12
because of the way we isolate products during development. Each developer
gets their own org for the stack they are working on in a CD style
pipeline. I switched to Chef 12 so I did not have to create a new Chef 11
server for each stack.

I want the build server to connect to the Chef API and create the orgs and
users, but I found out that only the pivotal user has access to do this.
Is there a command or way to add my automation user to the Chef server so
it has access to create users and organizations? I know I can just use the
pivotal key to sign the requests, but I was not sure if that is best way to
accomplish what I want. Ideally, I would like a role or set of permissions
that only allows user and organization creation, and user association to
organizations.

Anyone like to share host hosted Chef does this when a new user signs up?

Greg Willis


#2

Hi Greg.

I think your best bet for now is to use the pivotal user. That’s what the
manage interface does under the covers.

Creating a user can be done by any authenticated user with CREATE on the
users container, but in practice it’s probably easiest to just POST to
/users as pivotal.

Orgs pretty much need pivotal; pivotal is the only thing given permissions
by default when an org is created, and so there’s not a simple workaround
to extend that. Specifically you will need pivotal user’s privilege level
to add the user to the org, and then again to add the user as an admin to
their newly created org.

The basic workflow to create an org would look like:
POST to /organizations to create org
you will need to capture the validator key returned here, or regenerate the
validator later.
POST to /organizations/:orgname/users/:username to associate user (repeat
if necessary for multiple users)
PUT to /organizations/:orgname/groups/admins to set users in admins group
if desired.

On Sat, Jan 31, 2015 at 8:27 AM, Greg Willis greg@randeffects.com wrote:

I have the need to automate the user and organization creation on Chef 12
because of the way we isolate products during development. Each developer
gets their own org for the stack they are working on in a CD style
pipeline. I switched to Chef 12 so I did not have to create a new Chef 11
server for each stack.

I want the build server to connect to the Chef API and create the orgs and
users, but I found out that only the pivotal user has access to do this.
Is there a command or way to add my automation user to the Chef server so
it has access to create users and organizations? I know I can just use the
pivotal key to sign the requests, but I was not sure if that is best way to
accomplish what I want. Ideally, I would like a role or set of permissions
that only allows user and organization creation, and user association to
organizations.

Anyone like to share host hosted Chef does this when a new user signs up?

Greg Willis

Mark Anderson - Community Engineering

mark@chef.io brian@opscode.com


#3

Hi,

As a quick follow up to Mark’s reply, if you’d like some example code
for creating users with the pivotal key, you can take a look at:

https://github.com/chef/knife-opc

It uses an older method of associating users, but the basic flow is the same.

Cheers,

Steven

On Tue, Feb 3, 2015 at 12:42 AM, Mark Anderson mark@chef.io wrote:

Hi Greg.

I think your best bet for now is to use the pivotal user. That’s what the
manage interface does under the covers.

Creating a user can be done by any authenticated user with CREATE on the
users container, but in practice it’s probably easiest to just POST to
/users as pivotal.

Orgs pretty much need pivotal; pivotal is the only thing given permissions
by default when an org is created, and so there’s not a simple workaround to
extend that. Specifically you will need pivotal user’s privilege level to
add the user to the org, and then again to add the user as an admin to their
newly created org.

The basic workflow to create an org would look like:
POST to /organizations to create org
you will need to capture the validator key returned here, or regenerate the
validator later.
POST to /organizations/:orgname/users/:username to associate user (repeat if
necessary for multiple users)
PUT to /organizations/:orgname/groups/admins to set users in admins group if
desired.

On Sat, Jan 31, 2015 at 8:27 AM, Greg Willis greg@randeffects.com wrote:

I have the need to automate the user and organization creation on Chef 12
because of the way we isolate products during development. Each developer
gets their own org for the stack they are working on in a CD style pipeline.
I switched to Chef 12 so I did not have to create a new Chef 11 server for
each stack.

I want the build server to connect to the Chef API and create the orgs and
users, but I found out that only the pivotal user has access to do this. Is
there a command or way to add my automation user to the Chef server so it
has access to create users and organizations? I know I can just use the
pivotal key to sign the requests, but I was not sure if that is best way to
accomplish what I want. Ideally, I would like a role or set of permissions
that only allows user and organization creation, and user association to
organizations.

Anyone like to share host hosted Chef does this when a new user signs up?

Greg Willis

Mark Anderson - Community Engineering

mark@chef.io