Hi ! I am trying to create “admin” ( like in chef11 ) user with following policies:
knife group create admin-clients
knife group add client cookbook-uploader admin-clients
knife acl add group admin-clients containers environments create,read,update
knife acl bulk add group admin-clients environments ‘.’ create,read,update --yes
knife acl add group admin-clients containers roles create,read,update
knife acl bulk add group admin-clients roles '.’ create,read,update --yes
knife acl add group admin-clients containers cookbooks create,read,update
knife acl add group admin-clients containers sandboxes create,update,delete
knife acl bulk add group admin-clients cookbooks ‘.’ create,read,update --yes
knife acl add group admin-clients containers nodes create,read,update,delete
knife acl bulk add group admin-clients nodes '.’ create,read,update
Although it works as expected clients in group admin-clients able to manage cookbooks, environments, nodes and roles, this schema has major shortage - every time a new cookbook, role, node is created on chef server I need to re-run all these knife acl bulk command which is tedious
every time a new cookbook, role, node is created on chef server I need to re-run all these knife acl bulk command which is tedious
That shouldn't be necessary given your setup. The container ACLs you set for roles, nodes, and cookbooks should be the default ACL for any newly created role, nodes, and cookbooks.
However, what advantage are you looking for with this schema rather than, say, adding the client to the existing admins group?
An initial setup does not allow an admin-client group clients to read freshly created nodes, though
This is surprising to me given your setup. A freshly created node in your setup should have an ACL that allows READ by the admin-client group. Mind doing a knife acl show on the nodes container and a newly created node with this problem and posting the results here?