How to create group with read-only ACLs?

Kontooo2X · May 27, 2019, 1:14pm

I learned here: https://docs.chef.io/server_orgs.html that in chef there are groups inside organization and that groups have ACLs. I created additional group, let's call it "read-only". I assigned user "X" to that group and changed this groups ACLs doing this:

knife group create read-only

knife acl add group read-only containers clients read
knife acl bulk add group read-only clients '.*' read

knife acl add group read-only containers sandboxes read
knife acl add group read-only containers cookbooks read
knife acl bulk add group read-only cookbooks '.*' read

knife acl add group read-only containers data read
knife acl bulk add group read-only data '.*' read

knife acl add group read-only containers environments read
knife acl bulk add group read-only environments '.*' read

knife acl add group read-only containers nodes read
knife acl bulk add group read-only nodes '.*' read

knife acl add group read-only containers policies read
knife acl bulk add group read-only policies '.*' read

knife acl add group read-only containers policy_groups read
knife acl bulk add group read-only policy_groups '.*' read

knife acl add group read-only containers roles read
knife acl bulk add group read-only roles '.*' read

because this is what I learned that knife-acl plugin github site: https://github.com/chef/knife-acl

but despite doing it the user "X" can still edit and upload cookbooks. How to properly limit some users from editing stuff and having read only permissions? Is there some good documentation on Chef ACLs, how they work and how to edit groups ACLs?

And another questions - when I create a user they seem to be inside a group called something like this:

groups/000000000000455e875641bc6744f4s.json

So they are not in "users", not in "admins", but every user have it's own group with weird name like "000000000000455e875641bc6744f4s" and containing only this user. Then this groups are included in group user, I believe:

  "name": "users",
  "users": [
    "pivotal"
  ],
  "groups": [
    "000000000000455e875641bc6484fc39",
    "000000000000455e875641bc6744f4s"
  ]
}

So if I assign user "X" to group read-only he is still also in a group 000000000000455e875641bc6744f4s and in effect in a group users too, am I right? This is probably why he still can not only read but also upload cookbooks. How to show groups that particular user is in? How to remove user from group "users"? I feel like ACLs are lacking a good documentation.

Kontooo2X · June 15, 2019, 4:23am

If anyone will be wondering - the problem was with the groups that Chef create per user, with long names like "000000000000455e875641bc6744f4s". You need to not only remove the user "X" from the group "users" but also you need to remove from group "users" this group that Chef created for him, with long name.

Topic		Replies	Views
Create "admin" user in chef12 Chef Infra (archive)	5	1004	November 6, 2015
Restore GRANT permissions for admins group and permissions debug Chef Infra (archive)	0	616	December 17, 2015
Knife-acl: how to change global permissions? Chef Infra (archive)	1	1830	December 9, 2014
Restricting what a client can read via ACL's Chef Infra (archive)	4	3258	March 21, 2016
Create new group with ability to boostrap and read-only in chef server Chef Infra (archive)	1	745	October 30, 2016

How to create group with read-only ACLs?

Related topics