Today we released Chef Server 12.0.3. The biggest component of this release
is an early implementation of multikey authentication and chef-server-ctl
commands you can use to build your own key rotation! We will be expanding
this feature to have full-fledged API support in the near future, but you
can get cracking with this now if you want.
The latest packages can be downloaded from
https://downloads.chef.io/chef-server.
Keys To The Kingdom
This release supports storing and managing multiple keys for users and
clients. You can authenticate as a user or client with any valid key for
said agent. For a given request, the server will simply check the request
against all valid keys for the user or client. This allows the server to
know if a request is coming from a user or client by the same name, since a
key that authenticates correctly indicates the appropriate user or client,
slaying the long-standing user-client ambiguity bug.
The result is that you can now set up working key rotation: add a second
key for a user or clients, deploy it in place of the old one wherever the
keys lives, and then delete the old key. All of your keys will have a name
to help you distinguish between them.
Additionally, you can now set expiration dates for your keys. This is
optional. If a key has passed its expiration date, then it will simply be
excluded by the server when populating the list of valid keys for a user or
client. If a key doesn’t have an expiration date, then it will be valid to
authenticate against until it is removed.
We are currently working on full API support for all of this, but for now,
you can list, add, and delete keys for users and clients via
chef-server-ctl
. See the docs here for additional instructions:
http://docs.chef.io/server/release_notes.html#key-rotation.
Cool Story, But Will This Break Me?
API Backwards Compatible
This is fully backwards compatible with the current API. If you only want
to use one key, you can continue to update your user and client keys via
POSTs and PUTs to the API in the same way you currently do. GETs on users
and clients will still return a single key as long as you use the existing
user and client API endpoints.
How this now works under the hood is the key with the key_name default will
be what gets set and returned via the clients and users APIs. POSTs and
PUTs to those API endpoints will simply update the default key for that
user or client, so sticking to the existing users and clients API endpoints
will give you the functionality you are used to.
For now, it is recommended that you do not delete the default key if you
use Chef Server addons (see below).
Addon Compatibility
If you delete the default key or add additional keys, Chef Reporting and
Chef Push will have issues. Chef Reporting and Chef Push do not yet have
support for authenticating against the non-default key. Multikey support
for Reporting and Push is in the works with the extended API.
Also In This Release
Improvements
-
James FitzGibbon (https://github.com/jf647) added support to use
X-Forwarded-For
header instead of remote address in nginx logs when
nginx['log_x_forwarded_for']
is set to true. -
James Le Cuirot (https://github.com/chewi) added initial systemd support.
-
We fixed an issue with a ffi-yajl warning being constantly displayed on
everychef-server-ctl
command that was executed. -
Ensure nginx restarts on frontends in HA installs after lua-related
changes.
Bug Fixes
-
Log an error and exit when DRBD mount attempts are exhausted rather than
entering an infinite loop. -
Search results for arrays previously would match values from all
precedence levels. -
Nginx logs rotated as opscode user.
-
Fix installation errors caused by PERL5LIB environment variable.
-
Correctly restart nginx on lua-related configuration changes.
-
chef-server-ctl
now returns non-zero exit codes for errors during user
and organization-related commands. -
Use
-D
for--download-only
option inchef12-upgrade-download
command, avoiding option name conflict. -
User-Client request ambiguity removed.
Commitment To Getting You Value Faster
While this feature does not yet have full API support, you can manage
multiple keys and get working key rotation with this release. Instead of
making you wait for all the bells and whistles, we are giving you the
minimum viable feature that you can use to get started with, which is
something we are committed to improving on. Enjoy and happy rotating!