Controlling the Chef 12 Pivotal user

Taking this off twitter (
https://twitter.com/luckymike/status/572856407692746754) and to the list.

It’s unclear to me how one can manage the pivotal admin user. There’s no
user editing via chef-server-ctl or knife, and the user creation seems to
occur deep within the chef-server-core installer. What is the approach for
controlling that user creation and/or updating the user?

My goal is to be able to handle all this by wrapping the
chef-server-ingredient cookbook.

Thanks in advance!


Michael F. Weinberg | Director of Operations
http://heavywaterops.com | @heavywaterops

Hi Michael,

The pivotal user can be updated using:

EDITOR=favorite_editor chef-server-ctl user-edit pivotal

For instance, I used this command to change pioval's email address to
use an example.com domain. I can see my change took effect by viewing
the user:

sudo chef-server-ctl user-show pivotal
display_name: Clark Kent
email: kryptonite@example.com
first_name: Clark
[...SNIP...]

To re-iterate some points that were made in the twitter thread:

For user creation, deletion, and editing, chef-server-ctl is
currently the go-to tool. It should work from your chef-server
directly and the documentation can be found here:

It supports basic CRUD operations for both organizations and users.
The knife-opc and knife-acl plugins can be used for in-organization
operations such as inviting existing users to an org, manipulating
groups, or manipulating ACLs. However, since users are global objects,
creating them requires permissions that only the pivotal has in most
installation.

Cheers,

Steven

On Tue, Mar 3, 2015 at 11:35 PM, Michael Weinberg michael@hw-ops.com wrote:

Taking this off twitter
(https://twitter.com/luckymike/status/572856407692746754) and to the list.

It's unclear to me how one can manage the pivotal admin user. There's no
user editing via chef-server-ctl or knife, and the user creation seems to
occur deep within the chef-server-core installer. What is the approach for
controlling that user creation and/or updating the user?

My goal is to be able to handle all this by wrapping the
chef-server-ingredient cookbook.

Thanks in advance!

--
Michael F. Weinberg | Director of Operations
http://heavywaterops.com | @heavywaterops

On Mar 3, 2015, at 3:35 PM, Michael Weinberg michael@hw-ops.com wrote:

Taking this off twitter (https://twitter.com/luckymike/status/572856407692746754) and to the list.

It's unclear to me how one can manage the pivotal admin user. There's no user editing via chef-server-ctl or knife, and the user creation seems to occur deep within the chef-server-core installer. What is the approach for controlling that user creation and/or updating the user?

So the problem is that this user is kind of magic. It is used in a lot of places as a non-member superuser for internal administration tasks like adding new users or creating new orgs. You can edit some of the data, like give it a new display name (though nothing uses that so not terribly interesting) but changing its permissions would likely brick your Chef Server. You should never need to actually touch the pivotal user, and it should be as invisible as possible (the Web UI automatically hides) because it is effectively an implementation detail of Chef Server.

--Noah

You should go to great lengths to protect your pivotal.pem so that only administrators of chef-servers know about it. One approach would be to pre-create the pivotal.pem in advance and setup chef-server to use your specified pivotal.pem. This is assuming only administrators users can access your chef server vms. When you have multiple production chef servers it makes life easier for administrator if they all use the same pivotal.pem.

The problem of user management becomes very complicated when you're dealing with multiple chef servers in your infrastructure. Initially I was hoping chef replication would be able to sync RBAC information (users/groups/orgs) across servers but unfortunately it only focusses on policy information (cookbooks, roles, data bags, environments). Leaning towards having custom automation around dynamically figuring out originations/users that need to be created, which users should be members of an org, and what group within org should they be part of (group permissions). Although I guess LDAP integration might already solve this problem. Has anyone played around with LDAP yet? Do orgs/users get created automatically when you integrate with an LDAP server?

  • Phil

-----Original Message-----
From: Noah Kantrowitz [mailto:noah@coderanger.net]
Sent: Thursday, March 05, 2015 1:31 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Controlling the Chef 12 Pivotal user

On Mar 3, 2015, at 3:35 PM, Michael Weinberg michael@hw-ops.com wrote:

Taking this off twitter (https://twitter.com/luckymike/status/572856407692746754) and to the list.

It's unclear to me how one can manage the pivotal admin user. There's no user editing via chef-server-ctl or knife, and the user creation seems to occur deep within the chef-server-core installer. What is the approach for controlling that user creation and/or updating the user?

So the problem is that this user is kind of magic. It is used in a lot of places as a non-member superuser for internal administration tasks like adding new users or creating new orgs. You can edit some of the data, like give it a new display name (though nothing uses that so not terribly interesting) but changing its permissions would likely brick your Chef Server. You should never need to actually touch the pivotal user, and it should be as invisible as possible (the Web UI automatically hides) because it is effectively an implementation detail of Chef Server.

--Noah

To Noah's points: I (now) understand and appreciate all that. My main
concerns are:

  1. A system user should not look like a regular user, either from the
    web-ui or the CLI. As an admin, seeing an automatically created user with a
    chef.io address feels dicey, and is sure to spook some security teams
    (right or wrong).

  2. As a chef-server administrator, I think I should have access to manage
    my entire chef-server programmatically and from my workstation. The current
    user management, even from the chef-server-ctl command, leaves much to be
    desired.

Phil, you may be interested in the chef-server-populator cookbook, which
I'm in the process of revamping for Chef 12. It will provide full access to
create orgs and adjust clients to use provided keys, and allows you to make
the Chef Server its own client for user/client/org management via data
bags. Anticipating a new Chef 12 release within the week.

I don't have an LDAP server to test against, but would greatly welcome PRs
to cover LDAP integration.

Thanks!

--
Michael F. Weinberg | Director of Operations
http://heavywaterops.com | @heavywaterops

On Thu, Mar 5, 2015 at 11:11 AM, Phil Oliva poliva@blackberry.com wrote:

You should go to great lengths to protect your pivotal.pem so that only
administrators of chef-servers know about it. One approach would be to
pre-create the pivotal.pem in advance and setup chef-server to use your
specified pivotal.pem. This is assuming only administrators users can
access your chef server vms. When you have multiple production chef servers
it makes life easier for administrator if they all use the same pivotal.pem.

The problem of user management becomes very complicated when you're
dealing with multiple chef servers in your infrastructure. Initially I was
hoping chef replication would be able to sync RBAC information
(users/groups/orgs) across servers but unfortunately it only focusses on
policy information (cookbooks, roles, data bags, environments). Leaning
towards having custom automation around dynamically figuring out
originations/users that need to be created, which users should be members
of an org, and what group within org should they be part of (group
permissions). Although I guess LDAP integration might already solve this
problem. Has anyone played around with LDAP yet? Do orgs/users get created
automatically when you integrate with an LDAP server?

  • Phil

-----Original Message-----
From: Noah Kantrowitz [mailto:noah@coderanger.net]
Sent: Thursday, March 05, 2015 1:31 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Controlling the Chef 12 Pivotal user

On Mar 3, 2015, at 3:35 PM, Michael Weinberg michael@hw-ops.com wrote:

Taking this off twitter (
https://twitter.com/luckymike/status/572856407692746754) and to the list.

It's unclear to me how one can manage the pivotal admin user. There's no
user editing via chef-server-ctl or knife, and the user creation seems to
occur deep within the chef-server-core installer. What is the approach for
controlling that user creation and/or updating the user?

So the problem is that this user is kind of magic. It is used in a lot of
places as a non-member superuser for internal administration tasks like
adding new users or creating new orgs. You can edit some of the data, like
give it a new display name (though nothing uses that so not terribly
interesting) but changing its permissions would likely brick your Chef
Server. You should never need to actually touch the pivotal user, and it
should be as invisible as possible (the Web UI automatically hides) because
it is effectively an implementation detail of Chef Server.

--Noah