Create "admin" user in chef12

Hi ! I am trying to create “admin” ( like in chef11 ) user with following policies:

knife group create admin-clients

knife group add client cookbook-uploader admin-clients

knife acl add group admin-clients containers environments create,read,update
knife acl bulk add group admin-clients environments ‘.’ create,read,update --yes
knife acl add group admin-clients containers roles create,read,update
knife acl bulk add group admin-clients roles '.
’ create,read,update --yes
knife acl add group admin-clients containers cookbooks create,read,update
knife acl add group admin-clients containers sandboxes create,update,delete
knife acl bulk add group admin-clients cookbooks ‘.’ create,read,update --yes
knife acl add group admin-clients containers nodes create,read,update,delete
knife acl bulk add group admin-clients nodes '.
’ create,read,update

Although it works as expected clients in group admin-clients able to manage cookbooks, environments, nodes and roles, this schema has major shortage - every time a new cookbook, role, node is created on chef server I need to re-run all these knife acl bulk command which is tedious

Any input will be helpful. Thanks

Hi,

every time a new cookbook, role, node is created on chef server I need to re-run all these knife acl bulk command which is tedious

That shouldn’t be necessary given your setup. The container ACLs you set for roles, nodes, and cookbooks should be the default ACL for any newly created role, nodes, and cookbooks.

However, what advantage are you looking for with this schema rather than, say, adding the client to the existing admins group?

Cheers,

Steven

Hi Steven! Thanks , this helped. My other thoughts:

  • Quite dummy though , have never read that chef12 has predefined admin group
  • Spent a days for this pretty trivial solution
  • What if I do not want to add client to admin group for security reasons ? ( need to back to knife acl way ? which is not very easy ? … )
  • BTW I could not add client to group via opsocde console (WEB UI) and did it via knife group add client ...
  • An initial setup does not allow an admin-client group clients to read freshly created nodes, though

Hi,

An initial setup does not allow an admin-client group clients to read freshly created nodes, though

This is surprising to me given your setup. A freshly created node in your setup should have an ACL that allows READ by the admin-client group. Mind doing a knife acl show on the nodes container and a newly created node with this problem and posting the results here?

Cheers,

Steven

Ahh, already destroyed a group , thanks anyway. You really helped me (((

Ahh, already destroyed a group , thanks anyway. You really helped me

No worries, happy to help!

Cheers,

Steven