What to do if object (cookbook here) has empty list of permissions


#1

Hello everyone.

I have a cookbook with which I can’t do any operation. Nor delete nor
update or anything else. Even though I’m using client from admins group in
my knife.rb. I don’t have any problem with any other object.

After some research it looks like this particular cookbook has empty list
of permissions. So I have no rights for it even as admin.

$ knife cookbook show testa 0.1.0
ERROR: You authenticated successfully to https://chef/organizations/ola as
admin but you are not authorized for this action
Response: missing read permission

$ knife show /acls/cookbooks/testa.json
ERROR: Chef::ChefFS::FileSystem::OperationFailedError: HTTP error reading:
403 “Forbidden”

I tried to use user pivotal as client (from advice on irc channel) from the
server itself but got the same result.

Should I directly edit something in postgresql db to avoid this misbehavior
?


#2

Hi there. Are you running Chef Server 12? If so, I have just open sourced a
tool ‘fixie’ (https://github.com/chef/fixie) to help with this sort of
thing. I expect we will be shipping this with a future version of CS 12.

This is very preliminary, and the tool has many, many sharp edges, but it
is hopefully less painful than raw sql editing. The usual disclaimer of use
at your own risk, etc applies.

Also, for ACL editing, I’d use the knife acl plugin (
https://github.com/chef/knife-acl) first, and fixie only if that tool can’t
help you; the knife ACL tool uses the API which is safer and fully
supported.

But in your case, I think this tool will be your best option. There are
getting started instructions in the repo on setting things up; you need to
install fixie on your chef server, and on the backend/primary in a
tiered/ha configuration.

In your case, I’d copy any permissions from the cookbooks container to the
apache cookbook; the permissions on the cookbook should be a superset of
the container permissions.
For example if I wanted to fix or look at the permissions for the apache2
cookbook

fixie:0 > ORGS[“acme”].cookbooks[‘apache2’].acl
{“create”=>{“actors”=>[[:global, “pivotal”], [:global, “coyote”]],
“groups”=>[[“acme”, “admins”], [“acme”, “users”]]},
“read”=>{“actors”=>[[:global, “pivotal”], [:global, “coyote”]],
“groups”=>[[“acme”, “admins”], [“acme”, “clients”], [“acme”, “users”]]},
“update”=>{“actors”=>[[:global, “pivotal”], [:global, “coyote”]],
“groups”=>[[“acme”, “admins”], [“acme”, “users”]]},
“delete”=>{“actors”=>[[:global, “pivotal”], [:global, “coyote”]],
“groups”=>[[“acme”, “admins”], [“acme”, “users”]]},
“grant”=>{“actors”=>[[:global, “pivotal”], [:global, “coyote”]],
“groups”=>[[“acme”, “admins”]]}}

Compare it to the container:

fixie:0 >ORGS[‘acme’].containers[‘cookbooks’].acl
{“create”=>{“actors”=>[[:global, “pivotal”]], “groups”=>[[“acme”,
“admins”], [“acme”, “users”]]}, “read”=>{“actors”=>[[:global, “pivotal”]],
“groups”=>[[“acme”, “admins”], [“acme”, “clients”], [“acme”, “users”]]},
“update”=>{“actors”=>[[:global, “pivotal”]], “groups”=>[[“acme”, “admins”],
[“acme”, “users”]]}, “delete”=>{“actors”=>[[:global, “pivotal”]],
“groups”=>[[“acme”, “admins”], [“acme”, “users”]]},
“grant”=>{“actors”=>[[:global, “pivotal”]], “groups”=>[[“acme”, “admins”]]}}

You most likely want to make sure that the cookbook permissions are a
superset of the container permissions; the creating user should be listed
as well (e.g. here the creating user is ‘coyote’, and pivotal is the
’superuser’)

Adding a missing user to the read ace

fixie:0 > ORGS[“acme”].cookbooks[‘apache2’].ace_add(:read, USERS[‘pivotal’])

Adding a missing group to the read ace

fixie:0 > ORGS[“acme”].cookbooks[‘apache2’].ace_add(:read, GROUPS[‘admins’])

Hopefully this helps you out. And of course pull requests and feedback is
always welcome.

On Wed, Feb 11, 2015 at 1:28 AM, Александр Никифоров burlunder@gmail.com
wrote:

Hello everyone.

I have a cookbook with which I can’t do any operation. Nor delete nor
update or anything else. Even though I’m using client from admins group in
my knife.rb. I don’t have any problem with any other object.

After some research it looks like this particular cookbook has empty list
of permissions. So I have no rights for it even as admin.

$ knife cookbook show testa 0.1.0
ERROR: You authenticated successfully to https://chef/organizations/ola
as admin but you are not authorized for this action
Response: missing read permission

$ knife show /acls/cookbooks/testa.json
ERROR: Chef::ChefFS::FileSystem::OperationFailedError: HTTP error reading:
403 “Forbidden”

I tried to use user pivotal as client (from advice on irc channel) from
the server itself but got the same result.

Should I directly edit something in postgresql db to avoid this
misbehavior ?

Mark Anderson - Community Engineering

mark@chef.io brian@opscode.com