In a cookbook I’d like to retrieve the public keys of each knife user.
I assume a “knife user” to be a chef API client with the admin
privilege.
But when I run this in shef (with -z) on a non-admin node:
Chef::ApiClient.load(‘knife-user’)[‘public_key’]
I get a 403 response. In both open source and private chef.
Why would access to this information be forbidden? Anyone know of a
slick workaround?
Thanks
Louis
On 15 August 2012 10:40, Louis Garman louisgarman@gmail.com wrote:
In a cookbook I'd like to retrieve the public keys of each knife user.
I assume a "knife user" to be a chef API client with the admin
privilege.But when I run this in shef (with -z) on a non-admin node:
Chef::ApiClient.load('knife-user')['public_key']
or Chef::ApiClient.list
I get a 403 response. In both open source and private chef.
Why would access to this information be forbidden? Anyone know of a
slick workaround?
chef > x = Chef::REST.new(Chef::Config[:chef_server_url]).get_rest("clients/foo")
=> client[foo]
chef > x.public_key
=> "-----BEGIN RSA PUBLIC
KEY-----\nMIIBCgKCAQEArWFbpLaXlcTRwaNIwG71Y8XEMKAkE0Aq4BeHQCK5CNnS7mhrFgPM\nKbLA4M27Z7Zph9nrFW5Kka3uRKDO7lhmvMrZjJZjl9Hq1kiy1DL7YY7HujW1RVwM\nvRv0NTAevM4A+yFIeq/QsI6kzIKIVIBNdG6KtPf5gmqfHrSJJbKrPmwXOC6dMy1q\n/0ptd+79u2crkCSb9ItlW3gs7FjReBxKQ8IAU3ZiBveKCk6JFdqoiw9DG59oeBDB\nJcT5NzE8lInn8prxkHl5uENu5MUB3Fp0iDk2PuxQA1Po1egxUsEKThj1ZYxY2fbk\nbDEvVfeOXZSCXI+SZQmgMWcHXX5Z4hB/IwIDAQAB\n-----END
RSA PUBLIC KEY-----\n"
On 15 August 2012 15:12, Alex Howells lists@howells.me wrote:
chef > x = Chef::REST.new(Chef::Config[:chef_server_url]).get_rest("clients/foo")
=> client[foo]
chef > x.public_key
=> "-----BEGIN RSA PUBLIC
KEY-----\nMIIBCgKCAQEArWFbpLaXlcTRwaNIwG71Y8XEMKAkE0Aq4BeHQCK5CNnS7mhrFgPM\nKbLA4M27Z7Zph9nrFW5Kka3uRKDO7lhmvMrZjJZjl9Hq1kiy1DL7YY7HujW1RVwM\nvRv0NTAevM4A+yFIeq/QsI6kzIKIVIBNdG6KtPf5gmqfHrSJJbKrPmwXOC6dMy1q\n/0ptd+79u2crkCSb9ItlW3gs7FjReBxKQ8IAU3ZiBveKCk6JFdqoiw9DG59oeBDB\nJcT5NzE8lInn8prxkHl5uENu5MUB3Fp0iDk2PuxQA1Po1egxUsEKThj1ZYxY2fbk\nbDEvVfeOXZSCXI+SZQmgMWcHXX5Z4hB/IwIDAQAB\n-----END
RSA PUBLIC KEY-----\n"
But the plot thickens --
chef > x = Chef::REST.new(Chef::Config[:chef_server_url]).get_rest("clients/baa")
[Wed, 15 Aug 2012 10:13:11 -0400] INFO: HTTP Request Returned 403
Forbidden: You are not the correct node (auth_user name: foo,
params[:id]: baa), or are not an API administrator (admin: false).
On 15 August 2012 15:15, Alex Howells lists@howells.me wrote:
But the plot thickens --
chef > x = Chef::REST.new(Chef::Config[:chef_server_url]).get_rest("clients/baa")
[Wed, 15 Aug 2012 10:13:11 -0400] INFO: HTTP Request Returned 403
Forbidden: You are not the correct node (auth_user name: foo,
params[:id]: baa), or are not an API administrator (admin: false).
It doesn't appear that certain attributes of a client are public vs.
private - the situation is more "Are you the client concerned, if so,
you can load your data!" vs. "DENIED!" (with admin being the only way
around it).
https://github.com/opscode/chef/blob/master/chef-server-api/config/router.rb#L51
https://github.com/opscode/chef/blob/master/chef-server-api/app/controllers/application.rb#L80
https://github.com/opscode/chef/blob/master/chef-server-api/app/controllers/clients.rb#L28
Things might be different with OPC or OHC, not sure, I have been
testing things against OSCS.
With a client that is an admin -
Ohai2u agh@mojo.local!
chef > x = Chef::REST.new(Chef::Config[:chef_server_url]).get_rest("clients/baa")
=> client[baa]
But that's no surprise really 
On 15 August 2012 15:37, Alex Howells lists@howells.me wrote:
On 15 August 2012 15:15, Alex Howells lists@howells.me wrote:
But the plot thickens --
chef > x = Chef::REST.new(Chef::Config[:chef_server_url]).get_rest("clients/baa")
[Wed, 15 Aug 2012 10:13:11 -0400] INFO: HTTP Request Returned 403
Forbidden: You are not the correct node (auth_user name: foo,
params[:id]: baa), or are not an API administrator (admin: false).It doesn't appear that certain attributes of a client are public vs.
private - the situation is more "Are you the client concerned, if so,
you can load your data!" vs. "DENIED!" (with admin being the only way
around it).https://github.com/opscode/chef/blob/master/chef-server-api/config/router.rb#L51 https://github.com/opscode/chef/blob/master/chef-server-api/app/controllers/application.rb#L80 https://github.com/opscode/chef/blob/master/chef-server-api/app/controllers/clients.rb#L28Things might be different with OPC or OHC, not sure, I have been
testing things against OSCS.With a client that is an admin -
Ohai2u agh@mojo.local! chef > x = Chef::REST.new(Chef::Config[:chef_server_url]).get_rest("clients/baa") => client[baa]But that's no surprise really
If you particularly want this fixed, the patch is fairly trivial:
https://gist.github.com/3360740
Then you can:
chef > x = Chef::REST.new(Chef::Config[:chef_server_url]).get_rest("clients/baa/key")
=> {"name"=>"baa", "public_key"=>"-----BEGIN RSA PUBLIC
KEY-----\nMIIBCgKCAQEAx4Hzbue5tTQIGRgFNsi0elgbD0UBjo0j279WL0f5pt5rlbHOqs71\nySjAyX42cM7o1ltw6/BiTAPv3iIAY08UuiubqUNx1x32m7Y7gFa5B8BVJZCqlPEd\njeqpE4JaSBbFEhvy14FnLsf+mwRxdQtIqes+6NpL2vU0WDFvwRTOdKW1GSGY41SD\nuxFMitphJ380SEUYfriZbTk3qQQwgNBpJ/PVeSzJVz8sgB1XSfG4MQEbf/LeeyvY\njTYhe1sq1nH8qcqec3Byfoo+YkZiU3pPvRMTvbq89s2o/XQPCdaYlFvxbsmyn/yK\nrPzTBLd1NuIkkItNMhU2VmYodAUB/+DLsQIDAQAB\n-----END
RSA PUBLIC KEY-----\n"}
I can't see how exposing the public key of a client poses any
significant danger
Hope this helps,
-Alex
On 15 August 2012 15:48, Alex Howells lists@howells.me wrote:
If you particularly want this fixed, the patch is fairly trivial:
https://gist.github.com/3360740
But that doesn't solve your "How do I get a list of clients?" (from
somewhere which doesn't have 'admin') particularly.
It also causes -
chef > x = Chef::REST.new(Chef::Config[:chef_server_url]).get_rest("clients")
=> {"baa"=>"https://chef.anima.ls/clients/key/baa", ....
Anyway you get the general idea. I can actually see a utility for this
but I'm out of time to finish polishing it today.
Much appreciated Alex. Feel free to attach that patch to an opscode ticket...
On Wed, Aug 15, 2012 at 3:59 PM, Alex Howells lists@howells.me wrote:
On 15 August 2012 15:48, Alex Howells lists@howells.me wrote:
If you particularly want this fixed, the patch is fairly trivial:
https://gist.github.com/3360740But that doesn't solve your "How do I get a list of clients?" (from
somewhere which doesn't have 'admin') particularly.It also causes -
chef > x = Chef::REST.new(Chef::Config[:chef_server_url]).get_rest("clients")
=> {"baa"=>"https://chef.anima.ls/clients/key/baa", ....Anyway you get the general idea. I can actually see a utility for this
but I'm out of time to finish polishing it today.