What permissions are required for a client to run a command through chef push jobs?
Using hosted chef enterprise 12.
knife job start 'chef-client' node01
ERROR: You authenticated successfully to https://chef.example.com/organizations/dev as rundeck-push-jobs but you are not authorized for this action
Response: User or client 'rundeck-push-jobs' does not have access to that action on this server.
I’ve tried using knife-acl to create a group, and grant the nodes ACL
knife client create rundeck-push-jobs
knife group create push-job-clients
knife group add client rundeck-push-jobs push-job-clients
knife acl add group push-job-clients containers nodes read,update
knife acl bulk add group push-job-clients nodes '.*' create,read,update --yes
I am able to run push jobs from my workstation which makes sense because I’m an admin. I want to have a ci user (jenkins/gitlab-ci/rundeck) that can also trigger jobs, without giving full administrative rights.
Looks like the documentation for chef push jobs server hasn't been completed yet.
Some special services (reporting and pushy) use other special groups as a form of access control. (TODO document more)
On a hosted enterprise server there are the following groups:
admins
billing-admins
clients
users
Some of these groups are restricted to "users", and don't allow "clients" to be members.
Anyone know what these "special groups" are?
Additionally, the tests for the push api have a header "org_member" => true that leads me to believe that push jobs doesn't work with clients, only users.
The ‘rundeck’ user is able to query nodes and run other knife commands, including push jobs commands
knife node list -k /tmp/rundeck.pem --user rundeck --server-url https://chef.example.com/organizations/dev
node01
node02
knife job list
command: chef-client
created_at: Thu, 05 May 2016 20:58:21 GMT
id: 2bbe1054fd6ba1f4108ca06983d0e2bf
run_timeout: 3600
status: complete
updated_at: Thu, 05 May 2016 20:59:23 GMT
Yet that user can’t start a push job
knife job start 'chef-client' -s "role:web-default" -k /tmp/rundeck.pem --user rundeck --server-url https://chef.example.com/organizations/dev -V
WARNING: No knife configuration file found
WARN: Chef::REST is deprecated. Please use Chef::ServerAPI, or investigate Ridley or ChefAPI. at /var/lib/gems/2.2.0/gems/knife-push-0.5.2/lib/chef/knife/job_start.rb:84:in `new'
INFO: HTTP Request Returned 401 Unauthorized: error
ERROR: Failed to authenticate to https://chef-example.com/organizations/dev as rundeck with key /tmp/rundeck.pem
Response: Invalid signature for user or client 'rundeck'
What is missing? What magic ACL is needed to run push jobs?
It is possible to initiate jobs from the chef-client, such as from within a recipe based on an action to be determined as the recipe runs. For a chef-client to be able to create, initiate, or read jobs, the chef-client on which Chef push jobs is configured must belong to one (or both) of the following groups:
Group Description
pushy_job_readers Use to view the status of jobs.
pushy_job_writers Use to create and initiate jobs.
These groups do not exist by default, even after Chef push jobs has been installed to the Chef server. If these groups are not created, only members of the admin security group will be able to create, initiate, and view jobs.
I had to create a new client and group and add the client to the group using knife-acl
knife client create rundeck-push-jobs
knife group create pushy_job_readers
knife group create pushy_job_writers
knife group add client rundeck-push-jobs pushy_job_readers
knife group add client rundeck-push-jobs pushy_job_writers
Note: As soon as I created the groups, my user that was working, no longer was able to query the jobs. I had to add my user to the same groups.
knife group add client spuder pushy_job_readers
knife group add client spuder pushy_job_writers