Chef push jobs user is not authorized

What permissions are required for a client to run a command through chef push jobs?

Using hosted chef enterprise 12.

knife job start 'chef-client' node01
ERROR: You authenticated successfully to https://chef.example.com/organizations/dev as rundeck-push-jobs but you are not authorized for this action
Response:  User or client 'rundeck-push-jobs' does not have access to that action on this server.

I’ve tried using knife-acl to create a group, and grant the nodes ACL

knife client create rundeck-push-jobs
knife group create push-job-clients
knife group add client rundeck-push-jobs push-job-clients

knife acl add group push-job-clients containers nodes read,update
knife acl bulk add group push-job-clients nodes '.*' create,read,update --yes

I am able to run push jobs from my workstation which makes sense because I’m an admin. I want to have a ci user (jenkins/gitlab-ci/rundeck) that can also trigger jobs, without giving full administrative rights.

What ACL’s would push jobs require?

Looks like the documentation for chef push jobs server hasn’t been completed yet.

Some special services (reporting and pushy) use other special groups as a form of access control. (TODO document more)

On a hosted enterprise server there are the following groups:

  • admins
  • billing-admins
  • clients
  • users

Some of these groups are restricted to “users”, and don’t allow “clients” to be members.

Anyone know what these “special groups” are?

Additionally, the tests for the push api have a header "org_member" => true that leads me to believe that push jobs doesn’t work with clients, only users.

Looking into this more.

It seems that there is some other undocumented permission that is needed to let a “user” run push jobs.

Creating a new user and adding them to the admin group is surprisingly not sufficient.

chef-server-ctl user-create rundeck rundeck rundeck rundeck@example.com 'correct-horse-battery-staple'
chef-server-ctl org-user-add dev rundeck --admin

The ‘rundeck’ user is able to query nodes and run other knife commands, including push jobs commands

knife node list -k /tmp/rundeck.pem --user rundeck --server-url https://chef.example.com/organizations/dev
node01
node02

knife job list
command:     chef-client
created_at:  Thu, 05 May 2016 20:58:21 GMT
id:          2bbe1054fd6ba1f4108ca06983d0e2bf
run_timeout: 3600
status:      complete
updated_at:  Thu, 05 May 2016 20:59:23 GMT

Yet that user can’t start a push job

knife job start 'chef-client' -s "role:web-default" -k /tmp/rundeck.pem --user rundeck --server-url https://chef.example.com/organizations/dev -V
WARNING: No knife configuration file found
WARN: Chef::REST is deprecated. Please use Chef::ServerAPI, or investigate Ridley or ChefAPI. at /var/lib/gems/2.2.0/gems/knife-push-0.5.2/lib/chef/knife/job_start.rb:84:in `new'
INFO: HTTP Request Returned 401 Unauthorized: error
ERROR: Failed to authenticate to https://chef-example.com/organizations/dev as rundeck with key /tmp/rundeck.pem
Response:  Invalid signature for user or client 'rundeck'

What is missing? What magic ACL is needed to run push jobs?

Found the answer. According to the documentation: https://docs.chef.io/install_push_jobs.html

It is possible to initiate jobs from the chef-client, such as from within a recipe based on an action to be determined as the recipe runs. For a chef-client to be able to create, initiate, or read jobs, the chef-client on which Chef push jobs is configured must belong to one (or both) of the following groups:

Group Description
pushy_job_readers Use to view the status of jobs.
pushy_job_writers Use to create and initiate jobs.

These groups do not exist by default, even after Chef push jobs has been installed to the Chef server. If these groups are not created, only members of the admin security group will be able to create, initiate, and view jobs.

I had to create a new client and group and add the client to the group using knife-acl

knife client create rundeck-push-jobs
knife group create pushy_job_readers
knife group create pushy_job_writers
knife group add client rundeck-push-jobs pushy_job_readers
knife group add client rundeck-push-jobs pushy_job_writers

Note: As soon as I created the groups, my user that was working, no longer was able to query the jobs. I had to add my user to the same groups.

knife group add client spuder pushy_job_readers
knife group add client spuder pushy_job_writers