Knife cookbook upload - 403 forbidden against opscode platform


#1

I’m using the opscode platform and am having trouble uploading
cookbooks from my client.

I’ve used the web console and gone to cookbooks -> permissions and
enabled create/list for my client.

I can then successfully knife cookbook list. However knife cookbook
upload mycookbook returns 403 forbidden.

The permissions appear to be kinda working as if I remove the list
permission for my client, knife cookbook list returns 403 forbidden as
I’d expect.

Have I missed a permission somewhere?

My client seems fine as I can knife node list, knife role list etc
without issue.

Many thanks for an help.

Luke


#2

On 2 December 2010 23:22, Luke Biddell luke.biddell@gmail.com wrote:

I’m using the opscode platform and am having trouble uploading
cookbooks from my client.

I’ve used the web console and gone to cookbooks -> permissions and
enabled create/list for my client.

I can then successfully knife cookbook list. However knife cookbook
upload mycookbook returns 403 forbidden.

The permissions appear to be kinda working as if I remove the list
permission for my client, knife cookbook list returns 403 forbidden as
I’d expect.

Have I missed a permission somewhere?

My client seems fine as I can knife node list, knife role list etc
without issue.

I have the same problem, and opened a ticket on
http://help.opscode.com for this. Glad to see I’m not the only one
having this problem.

R.


#3

Couldn’t find the ticket, can you post me the link?

Thanks

Luke

On 3 December 2010 15:43, Ringo De Smet ringo.desmet@gmail.com wrote:

On 2 December 2010 23:22, Luke Biddell luke.biddell@gmail.com wrote:

I’m using the opscode platform and am having trouble uploading
cookbooks from my client.

I’ve used the web console and gone to cookbooks -> permissions and
enabled create/list for my client.

I can then successfully knife cookbook list. However knife cookbook
upload mycookbook returns 403 forbidden.

The permissions appear to be kinda working as if I remove the list
permission for my client, knife cookbook list returns 403 forbidden as
I’d expect.

Have I missed a permission somewhere?

My client seems fine as I can knife node list, knife role list etc
without issue.

I have the same problem, and opened a ticket on
http://help.opscode.com for this. Glad to see I’m not the only one
having this problem.

R.


#4

Hi Luke,

We found a small bug in the Management Console such that even when you added
anyone or group to have “Create” rights on cookbooks, it doesn’t completely
work.

I will fix and deploy the fix by EOD today. For a workaround, you can either
use a “user”, instead of a “client” to upload cookbooks before I deploy the
fix, or send me an email directly to let me know your organization account
name, and I can fix it for you.

Sorry for the inconvenience.

Thanks,
Nuo

On Fri, Dec 3, 2010 at 9:26 AM, Luke Biddell luke.biddell@gmail.com wrote:

Couldn’t find the ticket, can you post me the link?

Thanks

Luke

On 3 December 2010 15:43, Ringo De Smet ringo.desmet@gmail.com wrote:

On 2 December 2010 23:22, Luke Biddell luke.biddell@gmail.com wrote:

I’m using the opscode platform and am having trouble uploading
cookbooks from my client.

I’ve used the web console and gone to cookbooks -> permissions and
enabled create/list for my client.

I can then successfully knife cookbook list. However knife cookbook
upload mycookbook returns 403 forbidden.

The permissions appear to be kinda working as if I remove the list
permission for my client, knife cookbook list returns 403 forbidden as
I’d expect.

Have I missed a permission somewhere?

My client seems fine as I can knife node list, knife role list etc
without issue.

I have the same problem, and opened a ticket on
http://help.opscode.com for this. Glad to see I’m not the only one
having this problem.

R.


Opscode, Inc.
Nuo Yan (闫诺), Software Development Engineer
T: (425) 679-9362, E: nuo@opscode.com
Twitter, IRC, Github: nuoyan


#5

No problem Nuo, thanks for the help. I can wait until the end of the
day, that’s just fine.

On 3 December 2010 20:21, Nuo Yan nuo@opscode.com wrote:

Hi Luke,
We found a small bug in the Management Console such that even when you added
anyone or group to have “Create” rights on cookbooks, it doesn’t completely
work.

I will fix and deploy the fix by EOD today. For a workaround, you can either
use a “user”, instead of a “client” to upload cookbooks before I deploy the
fix, or send me an email directly to let me know your organization account
name, and I can fix it for you.
Sorry for the inconvenience.
Thanks,
Nuo

On Fri, Dec 3, 2010 at 9:26 AM, Luke Biddell luke.biddell@gmail.com wrote:

Couldn’t find the ticket, can you post me the link?

Thanks

Luke

On 3 December 2010 15:43, Ringo De Smet ringo.desmet@gmail.com wrote:

On 2 December 2010 23:22, Luke Biddell luke.biddell@gmail.com wrote:

I’m using the opscode platform and am having trouble uploading
cookbooks from my client.

I’ve used the web console and gone to cookbooks -> permissions and
enabled create/list for my client.

I can then successfully knife cookbook list. However knife cookbook
upload mycookbook returns 403 forbidden.

The permissions appear to be kinda working as if I remove the list
permission for my client, knife cookbook list returns 403 forbidden as
I’d expect.

Have I missed a permission somewhere?

My client seems fine as I can knife node list, knife role list etc
without issue.

I have the same problem, and opened a ticket on
http://help.opscode.com for this. Glad to see I’m not the only one
having this problem.

R.


Opscode, Inc.
Nuo Yan (闫诺), Software Development Engineer
T: (425) 679-9362, E: nuo@opscode.com
Twitter, IRC, Github: nuoyan


#6

I’ve tried it this morning and it’s still giving me 403? Is this fix deployed?

On 3 December 2010 22:19, Luke Biddell luke.biddell@gmail.com wrote:

No problem Nuo, thanks for the help. I can wait until the end of the
day, that’s just fine.

On 3 December 2010 20:21, Nuo Yan nuo@opscode.com wrote:

Hi Luke,
We found a small bug in the Management Console such that even when you added
anyone or group to have “Create” rights on cookbooks, it doesn’t completely
work.

I will fix and deploy the fix by EOD today. For a workaround, you can either
use a “user”, instead of a “client” to upload cookbooks before I deploy the
fix, or send me an email directly to let me know your organization account
name, and I can fix it for you.
Sorry for the inconvenience.
Thanks,
Nuo

On Fri, Dec 3, 2010 at 9:26 AM, Luke Biddell luke.biddell@gmail.com wrote:

Couldn’t find the ticket, can you post me the link?

Thanks

Luke

On 3 December 2010 15:43, Ringo De Smet ringo.desmet@gmail.com wrote:

On 2 December 2010 23:22, Luke Biddell luke.biddell@gmail.com wrote:

I’m using the opscode platform and am having trouble uploading
cookbooks from my client.

I’ve used the web console and gone to cookbooks -> permissions and
enabled create/list for my client.

I can then successfully knife cookbook list. However knife cookbook
upload mycookbook returns 403 forbidden.

The permissions appear to be kinda working as if I remove the list
permission for my client, knife cookbook list returns 403 forbidden as
I’d expect.

Have I missed a permission somewhere?

My client seems fine as I can knife node list, knife role list etc
without issue.

I have the same problem, and opened a ticket on
http://help.opscode.com for this. Glad to see I’m not the only one
having this problem.

R.


Opscode, Inc.
Nuo Yan (闫诺), Software Development Engineer
T: (425) 679-9362, E: nuo@opscode.com
Twitter, IRC, Github: nuoyan


#7

On Sat, Dec 4, 2010 at 3:03 AM, Luke Biddell luke.biddell@gmail.com wrote:

I’ve tried it this morning and it’s still giving me 403? Is this fix deployed?

It is my understanding that they were going to try to patch a couple
organizations as well as push a fix to prevent other organizations
from getting in this state, but there were logistical issues with
getting them in the right order. The larger fix is probably going out
on Monday to be sure it doesn’t cause any regressions while we’re all
out of the office. I don’t know if Nuo tried to patch the existing
organizations or not yesterday.

If you can’t work around the issue until then by using a 'user’
instead of a ‘client’ please let us know.

Bryan


#8

Yes as Bryan said, the root cause fix is deployed, and there is a script to
be run to correct a UI setting for every org affected, on Monday. I think I
specifically fixed your organization after deploying the root cause fix.

And I just looked into your organization account for cookbooks permissions
and it looked fine, I refreshed the permission settings, try again and if
you are still seeing 403s, send me an email or open a help ticket at
help.opscode.com about your organization name (to make sure I looked at the
right one) and the specific client you are using to sign requests.

By the way, (I will make sure this gets fixed for you, However, ) in general
on the platform we encourage using users, instead of clients to perform
"knife" tasks. Just for your information, but there won’t be problems using
clients to do that if you have a specific use case. :slight_smile:

Thanks and sorry for the inconvenience.
Nuo

On Sat, Dec 4, 2010 at 3:03 AM, Luke Biddell luke.biddell@gmail.com wrote:

I’ve tried it this morning and it’s still giving me 403? Is this fix
deployed?

On 3 December 2010 22:19, Luke Biddell luke.biddell@gmail.com wrote:

No problem Nuo, thanks for the help. I can wait until the end of the
day, that’s just fine.

On 3 December 2010 20:21, Nuo Yan nuo@opscode.com wrote:

Hi Luke,
We found a small bug in the Management Console such that even when you
added

anyone or group to have “Create” rights on cookbooks, it doesn’t
completely

work.

I will fix and deploy the fix by EOD today. For a workaround, you can
either

use a “user”, instead of a “client” to upload cookbooks before I deploy
the

fix, or send me an email directly to let me know your organization
account

name, and I can fix it for you.
Sorry for the inconvenience.
Thanks,
Nuo

On Fri, Dec 3, 2010 at 9:26 AM, Luke Biddell luke.biddell@gmail.com
wrote:

Couldn’t find the ticket, can you post me the link?

Thanks

Luke

On 3 December 2010 15:43, Ringo De Smet ringo.desmet@gmail.com
wrote:

On 2 December 2010 23:22, Luke Biddell luke.biddell@gmail.com
wrote:

I’m using the opscode platform and am having trouble uploading
cookbooks from my client.

I’ve used the web console and gone to cookbooks -> permissions and
enabled create/list for my client.

I can then successfully knife cookbook list. However knife cookbook
upload mycookbook returns 403 forbidden.

The permissions appear to be kinda working as if I remove the list
permission for my client, knife cookbook list returns 403 forbidden
as

I’d expect.

Have I missed a permission somewhere?

My client seems fine as I can knife node list, knife role list etc
without issue.

I have the same problem, and opened a ticket on
http://help.opscode.com for this. Glad to see I’m not the only one
having this problem.

R.


Opscode, Inc.
Nuo Yan (闫诺), Software Development Engineer
T: (425) 679-9362, E: nuo@opscode.com
Twitter, IRC, Github: nuoyan


Opscode, Inc.
Nuo Yan (闫诺), Software Development Engineer
T: (425) 679-9362, E: nuo@opscode.com
Twitter, IRC, Github: nuoyan


#9

Many many thanks for all the help, it’s working fine now. And sorry if
I appeared impatient, I misunderstood the nature of the fix.

This is my first time with the platform, I’ve used an internal chef
server exclusively until now. As far as I can see, when running your
own chef server, there’s no way to generate a pem for users and
connect that way. We just use clients?

I can easily switch over to users when using the platform, just me
getting used to the differences.

2010/12/5 Nuo Yan nuo@opscode.com:

Yes as Bryan said, the root cause fix is deployed, and there is a script to
be run to correct a UI setting for every org affected, on Monday. I think I
specifically fixed your organization after deploying the root cause fix.
And I just looked into your organization account for cookbooks permissions
and it looked fine, I refreshed the permission settings, try again and if
you are still seeing 403s, send me an email or open a help ticket at
help.opscode.com about your organization name (to make sure I looked at the
right one) and the specific client you are using to sign requests.
By the way, (I will make sure this gets fixed for you, However, ) in general
on the platform we encourage using users, instead of clients to perform
"knife" tasks. Just for your information, but there won’t be problems using
clients to do that if you have a specific use case. :slight_smile:
Thanks and sorry for the inconvenience.
Nuo
On Sat, Dec 4, 2010 at 3:03 AM, Luke Biddell luke.biddell@gmail.com wrote:

I’ve tried it this morning and it’s still giving me 403? Is this fix
deployed?

On 3 December 2010 22:19, Luke Biddell luke.biddell@gmail.com wrote:

No problem Nuo, thanks for the help. I can wait until the end of the
day, that’s just fine.

On 3 December 2010 20:21, Nuo Yan nuo@opscode.com wrote:

Hi Luke,
We found a small bug in the Management Console such that even when you
added
anyone or group to have “Create” rights on cookbooks, it doesn’t
completely
work.

I will fix and deploy the fix by EOD today. For a workaround, you can
either
use a “user”, instead of a “client” to upload cookbooks before I deploy
the
fix, or send me an email directly to let me know your organization
account
name, and I can fix it for you.
Sorry for the inconvenience.
Thanks,
Nuo

On Fri, Dec 3, 2010 at 9:26 AM, Luke Biddell luke.biddell@gmail.com
wrote:

Couldn’t find the ticket, can you post me the link?

Thanks

Luke

On 3 December 2010 15:43, Ringo De Smet ringo.desmet@gmail.com
wrote:

On 2 December 2010 23:22, Luke Biddell luke.biddell@gmail.com
wrote:

I’m using the opscode platform and am having trouble uploading
cookbooks from my client.

I’ve used the web console and gone to cookbooks -> permissions and
enabled create/list for my client.

I can then successfully knife cookbook list. However knife cookbook
upload mycookbook returns 403 forbidden.

The permissions appear to be kinda working as if I remove the list
permission for my client, knife cookbook list returns 403 forbidden
as
I’d expect.

Have I missed a permission somewhere?

My client seems fine as I can knife node list, knife role list etc
without issue.

I have the same problem, and opened a ticket on
http://help.opscode.com for this. Glad to see I’m not the only one
having this problem.

R.


Opscode, Inc.
Nuo Yan (闫诺), Software Development Engineer
T: (425) 679-9362, E: nuo@opscode.com
Twitter, IRC, Github: nuoyan


Opscode, Inc.
Nuo Yan (闫诺), Software Development Engineer
T: (425) 679-9362, E: nuo@opscode.com
Twitter, IRC, Github: nuoyan


#10

On Mon, Dec 6, 2010 at 1:41 AM, Luke Biddell luke.biddell@gmail.com wrote:

This is my first time with the platform, I’ve used an internal chef
server exclusively until now. As far as I can see, when running your
own chef server, there’s no way to generate a pem for users and
connect that way. We just use clients?

I believe that is true. The difference is that the platform is a bit
more complex than the the stock chef server. We bolt on other pieces
to the open source code, like multi-tenant support, and support for
Access Control Lists (ACL). Consequently, the list of things we expect
a user to be able to do against the platform is different than the
things another client, typically a server, would do. This was an
unexpected use case, so there was some discussion about how to re-work
everything the Right Way.

I’m glad you are all worked out.

Bryan