[RESOLVED] Client Unauthorized to access its cookbooks - 403 Forbidden

Chef Infra (archive)
1

Hi,
I'm facing a problem with a node which is not allowed to access its cookbook. The message I see in the log is:

================================================================================
Error Resolving Cookbooks for Run List:

Authorization Error

This client is not authorized to read some of the information required to
access its cookbooks (HTTP 403).

To access its cookbooks, a client needs to be able to read its environment and
all of the cookbooks in its expanded run list.

Expanded Run List:

  • chef-client::config
  • chef-client
  • spacewalk-client::rhel

Server Response:

missing read permission

Platform:

x86_64-linux

Running handlers:
[2017-02-17T11:29:02+01:00] ERROR: Running exception handlers
Running handlers complete
[2017-02-17T11:29:02+01:00] ERROR: Exception handlers complete
Chef Client failed. 0 resources updated in 02 seconds
[2017-02-17T11:29:02+01:00] FATAL: Stacktrace dumped to /home/security/.chef/cache/chef-stacktrace.out
[2017-02-17T11:29:02+01:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2017-02-17T11:29:02+01:00] ERROR: 403 "Forbidden"
[2017-02-17T11:29:02+01:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

Any suggestion?

2

Change the permission of the cookbook https://docs.chef.io/server_manage_cookbooks.html

To set permissions list for a cookbook object:

Open the Chef management console.
Click Policy.
Click Cookbooks.
Select a cookbook.
Click the Permissions tab.
For each group listed under Name, select or de-select the Read, Update, Delete, and Grant permissions.

3

It clearly says that "client needs to be able to read its environment and all of the cookbooks in its expanded run list."

Go to policy, click on cookbook and on permissions tab, change the permission of desired cookbooks.

Regards,
Waseem

4

Thank you for your responses but I've already checked the permissions and it looks like all is good, because read permission is checked on Read action. Here below a screenshot of the chef-client cookbook. Am I wrong? Any other suggestions?

5

I’ve also tried to reset the key of the client, installing it on the node but without improvements. Could it be that the log is misleading?

6

Change the permission under the Clients tab not the Cookbooks,: under Policy => Clients => click on the node and change the permission there.

7

It's quite the same: the permissions here are the same as all the other clients registered on the server. See screenshot below. I've also tried to bootstrap again the node but the message is exactly the same. How can I proceed?

8

you user ant4r3s is missing, you need to add it on the list.

9

I don’t think so because all other hosts don’t have that permission and they work. In fact, I’ve added the ant4r3s user to the node3 but the result is the same : (
Other idea?

10

i ran out of ideas :-/ restart the chef server…

11

The restart of the server doesn’t work unfortunately.

Anyway I’ve found a solution deleting the node from the server as well as the client key on the node. As last operation I’ve bootstraped the node from the workstation :frowning: