"knife user" vs "knife client"

Chef Infra (archive)
1

Hi,

I’m bootstrapping a Chef server 11 for the first time, and I’m a bit
confused by the distinction of “knife user” vs “knife client”.

I don’t want to use Chef server’s web UI (at least for now), and I don’t
want the users to have any passwords at all (API is authenticated by keys;
all web panels are protected by SSO). All the setup instructions use Web
UI, and knife client create requires me to provide a password.

As far as I understand, for API access knife client create --admin is
sufficient. Am I right, or is there something I’m missing?

Are users created with knife user create relevant anywhere else than web
UI and chef-vault?

Is it possible to create a user without a valid password, so that it’s not
possible to authenticate using password?

The existing documentation doesn’t really specify what a ‘user’ actually
is, it seems to be just a dump of knife user --help.

Thanks,
– Maciej

2

On Friday, June 21, 2013 at 4:15 AM, Maciej Pasternacki wrote:

Hi,

I'm bootstrapping a Chef server 11 for the first time, and I'm a bit confused by the distinction of "knife user" vs "knife client".

I don't want to use Chef server's web UI (at least for now), and I don't want the users to have any passwords at all (API is authenticated by keys; all web panels are protected by SSO). All the setup instructions use Web UI, and knife client create requires me to provide a password.
Is that a mistype? I don't see how knife client create would require a password...

As far as I understand, for API access knife client create --admin is sufficient. Am I right, or is there something I'm missing?
For now, users and clients are equivalent, except that users have passwords and clients don't. In the far future (e.g., Chef 12) that could change, if there's reason to do so.

Are users created with knife user create relevant anywhere else than web UI and chef-vault?

Is it possible to create a user without a valid password, so that it's not possible to authenticate using password?

The existing documentation doesn't really specify what a 'user' actually is, it seems to be just a dump of knife user --help.
Users and clients are both "identities" that have a key pair. Users also have a password. In the commercial versions of Chef where you have multi-tennancy, users are global, while clients are scoped to organizations. In the OSS server, there is no multi-tennancy so that distinction doesn't matter.

Thanks,
-- Maciej

Anyway, you can totally use Chef just fine for now without setting up any users, as long as you're fine with the fact that you're doing things in a non-standard way, so documented procedures might not work correctly. Also, if some API operations are restricted to users (hypothetical example: uploading cookbooks or deleting things) in a future update, you'll have a bit of extra work to do when upgrading.

--
Daniel DeLeo