Knife-acl: how to change global permissions?


#1

Ohai again!

I’m testing Chef 12 and ACL’s, but I can’t find a way to change my “Global
Permissions: cookbooks”

Today, to “cookbook show” my cookbooks, the user MUST be in at least,
“admin, clients or users” group.

But I would like to create a new group with minimium privilege such
permission in only one cookbook. To do so, I must remove the user from
"users" group, but sounds like I’m stuck on Global Permission:

knife group add actor read-only teste knife group remove actor users teste

$ knife cookbook show support -c knife-teste.rb
ERROR: You authenticated successfully to https://10.112.81.166 as teste but
you are not authorized for this action
Response: missing read permission

knife acl add cookbooks support read group read-only knife acl add cookbooks support update group read-only

$ knife cookbook upload support -V -c knife-teste.rb
INFO: HTTP Request Returned 403 Forbidden: error
ERROR: You authenticated successfully to https://10.112.81.166 as teste but
you are not authorized for this action
Response: missing read permission

Any ideas? Thanks a lot!


– Tiago Cruz


#2

Hi,

Your instincts about what to do were correct; unfortunately this
seems like a bit of an edge case. It appears that listing the versions
of a named cookbook requires READ permission on the cookbooks
container and not just the named cookbook itself.

The container (called “Global Permissions” in parts of the UI)
typically controls what you can do across sets of objects (e.g. READ
on the nodes container allows you to list all nodes) and the
permissions that new objects have by default (e.g. if you have READ on
the clients container, you get READ on any newly created clients).

My guess is that this knife command will work for you:

knife cookbook show support CURRENT_VERSION -c knife-teste.rb

where CURRENT_VERSION is a version of support that is already
uploaded. That gets around the API call ("/cookbooks/support") that
requires READ on the container. Unfortunately, I don’t know of a way
to upload cookbooks that avoid a call to an endpoint requiring
container permission.

You can give your group READ permission on the cookbook container:

knife acl show containers cookbooks read group read-only

but this will have the unfortunate side effect of also giving them
READ permission on any cookbook created after you make this change
(existing cookbooks and new versions of existing cookbooks won’t be
affected).

Cheers,

Steven

On Mon, Dec 8, 2014 at 4:28 PM, Tiago Cruz tiago.tuxkiller@gmail.com wrote:

Ohai again!

I’m testing Chef 12 and ACL’s, but I can’t find a way to change my “Global
Permissions: cookbooks”

Today, to “cookbook show” my cookbooks, the user MUST be in at least,
“admin, clients or users” group.

But I would like to create a new group with minimium privilege such
permission in only one cookbook. To do so, I must remove the user from
"users" group, but sounds like I’m stuck on Global Permission:

knife group add actor read-only teste knife group remove actor users teste

$ knife cookbook show support -c knife-teste.rb
ERROR: You authenticated successfully to https://10.112.81.166 as teste but
you are not authorized for this action
Response: missing read permission

knife acl add cookbooks support read group read-only knife acl add cookbooks support update group read-only

$ knife cookbook upload support -V -c knife-teste.rb
INFO: HTTP Request Returned 403 Forbidden: error
ERROR: You authenticated successfully to https://10.112.81.166 as teste but
you are not authorized for this action
Response: missing read permission

Any ideas? Thanks a lot!


– Tiago Cruz