Retrieving public keys of knife users


#1

In a cookbook I’d like to retrieve the public keys of each knife user.
I assume a “knife user” to be a chef API client with the admin
privilege.

But when I run this in shef (with -z) on a non-admin node:

Chef::ApiClient.load(‘knife-user’)[‘public_key’]

or Chef::ApiClient.list

I get a 403 response. In both open source and private chef.

Why would access to this information be forbidden? Anyone know of a
slick workaround?

Thanks

Louis


#2

On 15 August 2012 10:40, Louis Garman louisgarman@gmail.com wrote:

In a cookbook I’d like to retrieve the public keys of each knife user.
I assume a “knife user” to be a chef API client with the admin
privilege.

But when I run this in shef (with -z) on a non-admin node:

Chef::ApiClient.load(‘knife-user’)[‘public_key’]

or Chef::ApiClient.list

I get a 403 response. In both open source and private chef.

Why would access to this information be forbidden? Anyone know of a
slick workaround?

chef > x = Chef::REST.new(Chef::Config[:chef_server_url]).get_rest(“clients/foo”)
=> client[foo]
chef > x.public_key
=> “-----BEGIN RSA PUBLIC
KEY-----\nMIIBCgKCAQEArWFbpLaXlcTRwaNIwG71Y8XEMKAkE0Aq4BeHQCK5CNnS7mhrFgPM\nKbLA4M27Z7Zph9nrFW5Kka3uRKDO7lhmvMrZjJZjl9Hq1kiy1DL7YY7HujW1RVwM\nvRv0NTAevM4A+yFIeq/QsI6kzIKIVIBNdG6KtPf5gmqfHrSJJbKrPmwXOC6dMy1q\n/0ptd+79u2crkCSb9ItlW3gs7FjReBxKQ8IAU3ZiBveKCk6JFdqoiw9DG59oeBDB\nJcT5NzE8lInn8prxkHl5uENu5MUB3Fp0iDk2PuxQA1Po1egxUsEKThj1ZYxY2fbk\nbDEvVfeOXZSCXI+SZQmgMWcHXX5Z4hB/IwIDAQAB\n-----END
RSA PUBLIC KEY-----\n”


#3

On 15 August 2012 15:12, Alex Howells lists@howells.me wrote:

chef > x = Chef::REST.new(Chef::Config[:chef_server_url]).get_rest(“clients/foo”)
=> client[foo]
chef > x.public_key
=> “-----BEGIN RSA PUBLIC
KEY-----\nMIIBCgKCAQEArWFbpLaXlcTRwaNIwG71Y8XEMKAkE0Aq4BeHQCK5CNnS7mhrFgPM\nKbLA4M27Z7Zph9nrFW5Kka3uRKDO7lhmvMrZjJZjl9Hq1kiy1DL7YY7HujW1RVwM\nvRv0NTAevM4A+yFIeq/QsI6kzIKIVIBNdG6KtPf5gmqfHrSJJbKrPmwXOC6dMy1q\n/0ptd+79u2crkCSb9ItlW3gs7FjReBxKQ8IAU3ZiBveKCk6JFdqoiw9DG59oeBDB\nJcT5NzE8lInn8prxkHl5uENu5MUB3Fp0iDk2PuxQA1Po1egxUsEKThj1ZYxY2fbk\nbDEvVfeOXZSCXI+SZQmgMWcHXX5Z4hB/IwIDAQAB\n-----END
RSA PUBLIC KEY-----\n”

But the plot thickens –

chef > x = Chef::REST.new(Chef::Config[:chef_server_url]).get_rest(“clients/baa”)
[Wed, 15 Aug 2012 10:13:11 -0400] INFO: HTTP Request Returned 403
Forbidden: You are not the correct node (auth_user name: foo,
params[:id]: baa), or are not an API administrator (admin: false).


#4

On 15 August 2012 15:15, Alex Howells lists@howells.me wrote:

But the plot thickens –

chef > x = Chef::REST.new(Chef::Config[:chef_server_url]).get_rest(“clients/baa”)
[Wed, 15 Aug 2012 10:13:11 -0400] INFO: HTTP Request Returned 403
Forbidden: You are not the correct node (auth_user name: foo,
params[:id]: baa), or are not an API administrator (admin: false).

It doesn’t appear that certain attributes of a client are public vs.
private - the situation is more “Are you the client concerned, if so,
you can load your data!” vs. “DENIED!” (with admin being the only way
around it).

https://github.com/opscode/chef/blob/master/chef-server-api/config/router.rb#L51
https://github.com/opscode/chef/blob/master/chef-server-api/app/controllers/application.rb#L80
https://github.com/opscode/chef/blob/master/chef-server-api/app/controllers/clients.rb#L28

Things might be different with OPC or OHC, not sure, I have been
testing things against OSCS.

With a client that is an admin -

Ohai2u agh@mojo.local!
chef > x = Chef::REST.new(Chef::Config[:chef_server_url]).get_rest("clients/baa")
 => client[baa]

But that’s no surprise really :slight_smile:


#5

On 15 August 2012 15:37, Alex Howells lists@howells.me wrote:

On 15 August 2012 15:15, Alex Howells lists@howells.me wrote:

But the plot thickens –

chef > x = Chef::REST.new(Chef::Config[:chef_server_url]).get_rest(“clients/baa”)
[Wed, 15 Aug 2012 10:13:11 -0400] INFO: HTTP Request Returned 403
Forbidden: You are not the correct node (auth_user name: foo,
params[:id]: baa), or are not an API administrator (admin: false).

It doesn’t appear that certain attributes of a client are public vs.
private - the situation is more “Are you the client concerned, if so,
you can load your data!” vs. “DENIED!” (with admin being the only way
around it).

https://github.com/opscode/chef/blob/master/chef-server-api/config/router.rb#L51
https://github.com/opscode/chef/blob/master/chef-server-api/app/controllers/application.rb#L80
https://github.com/opscode/chef/blob/master/chef-server-api/app/controllers/clients.rb#L28

Things might be different with OPC or OHC, not sure, I have been
testing things against OSCS.

With a client that is an admin -

Ohai2u agh@mojo.local!
chef > x = Chef::REST.new(Chef::Config[:chef_server_url]).get_rest("clients/baa")
 => client[baa]

But that’s no surprise really :slight_smile:

If you particularly want this fixed, the patch is fairly trivial:

https://gist.github.com/3360740

Then you can:

chef > x = Chef::REST.new(Chef::Config[:chef_server_url]).get_rest(“clients/baa/key”)
=> {“name”=>“baa”, “public_key”=>"-----BEGIN RSA PUBLIC
KEY-----\nMIIBCgKCAQEAx4Hzbue5tTQIGRgFNsi0elgbD0UBjo0j279WL0f5pt5rlbHOqs71\nySjAyX42cM7o1ltw6/BiTAPv3iIAY08UuiubqUNx1x32m7Y7gFa5B8BVJZCqlPEd\njeqpE4JaSBbFEhvy14FnLsf+mwRxdQtIqes+6NpL2vU0WDFvwRTOdKW1GSGY41SD\nuxFMitphJ380SEUYfriZbTk3qQQwgNBpJ/PVeSzJVz8sgB1XSfG4MQEbf/LeeyvY\njTYhe1sq1nH8qcqec3Byfoo+YkZiU3pPvRMTvbq89s2o/XQPCdaYlFvxbsmyn/yK\nrPzTBLd1NuIkkItNMhU2VmYodAUB/+DLsQIDAQAB\n-----END
RSA PUBLIC KEY-----\n"}

I can’t see how exposing the public key of a client poses any
significant danger :slight_smile:

Hope this helps,
-Alex


#6

On 15 August 2012 15:48, Alex Howells lists@howells.me wrote:

If you particularly want this fixed, the patch is fairly trivial:

https://gist.github.com/3360740

But that doesn’t solve your “How do I get a list of clients?” (from
somewhere which doesn’t have ‘admin’) particularly.

It also causes -

chef > x = Chef::REST.new(Chef::Config[:chef_server_url]).get_rest(“clients”)
=> {“baa”=>“https://chef.anima.ls/clients/key/baa”, …

Anyway you get the general idea. I can actually see a utility for this
but I’m out of time to finish polishing it today.


#7

Much appreciated Alex. Feel free to attach that patch to an opscode ticket…

On Wed, Aug 15, 2012 at 3:59 PM, Alex Howells lists@howells.me wrote:

On 15 August 2012 15:48, Alex Howells lists@howells.me wrote:

If you particularly want this fixed, the patch is fairly trivial:

https://gist.github.com/3360740

But that doesn’t solve your “How do I get a list of clients?” (from
somewhere which doesn’t have ‘admin’) particularly.

It also causes -

chef > x = Chef::REST.new(Chef::Config[:chef_server_url]).get_rest(“clients”)
=> {“baa”=>“https://chef.anima.ls/clients/key/baa”, …

Anyway you get the general idea. I can actually see a utility for this
but I’m out of time to finish polishing it today.