You authenticated successfully to https://api.opscode.com/organizations/mycomapyas mynode but you are not authorized for this action


#1

Hi.

I am getting this error.

ERROR: You authenticated successfully to
https://api.opscode.com/organizations/mycomapy as mynode but you are
not authorized for this action

SO…how do I auth? I am trying to delete nodes using knife. This
is a script on a monitoring that is run once a minute.

knife node delete thatnopde --yes


#2

By default the API Clients for nodes do not have permission in the ACL to modify/delete other node objects. You can update the ACLs, or create a specific API client to use for that purpose.


Joshua Timberman
Sent from a mobile device

On Wednesday, July 18, 2012 at 6:09, David Montgomery wrote:

Hi.

I am getting this error.

ERROR: You authenticated successfully to
https://api.opscode.com/organizations/mycomapy as mynode but you are
not authorized for this action

SO…how do I auth? I am trying to delete nodes using knife. This
is a script on a monitoring that is run once a minute.

knife node delete thatnopde --yes


#3

Thanks,

In hosted chef, I went to clients and edited permissions for the
node. I gave all clients in groups to CRUD.I tried the individual
node but that did not help as well. I still get the error.
So…from hosted chef UI, for my monitoring server, what is the
proper way?

On Wed, Jul 18, 2012 at 9:49 PM, Joshua Timberman joshua@opscode.com wrote:

By default the API Clients for nodes do not have permission in the ACL to
modify/delete other node objects. You can update the ACLs, or create a
specific API client to use for that purpose.


Joshua Timberman
Sent from a mobile device

On Wednesday, July 18, 2012 at 6:09, David Montgomery wrote:

Hi.

I am getting this error.

ERROR: You authenticated successfully to
https://api.opscode.com/organizations/mycomapy as mynode but you are
not authorized for this action

SO…how do I auth? I am trying to delete nodes using knife. This
is a script on a monitoring that is run once a minute.

knife node delete thatnopde --yes


#4

On Wed, Jul 18, 2012 at 10:01 AM, David Montgomery
davidmontgomery@gmail.com wrote:

In hosted chef, I went to clients and edited permissions for the
node. I gave all clients in groups to CRUD.I tried the individual
node but that did not help as well. I still get the error.
So…from hosted chef UI, for my monitoring server, what is the
proper way?

You can get support from Opscode for Hosted Chef at
http://www.opscode.com/support/.

What credentials are you using with knife? Are you using the node’s
client key, or your own?

It’d help if you provided steps to reproduce that showed what commands
you were running as well.

Bryan


#5

Here is the knife file I use. I am using the nodes key and I have a
template for the below.

log_level :info
log_location STDOUT
node_name "<%= node.name %>"
client_key "/etc/chef/client.pem"
validation_client_name "mycomany-validator"
validation_key “#{current_dir}/mycomanyi-validator.pem”

chef_server_url "https://api.opscode.com/organizations/adhui"
cache_type 'BasicFile’
cache_options( :path => “#{ENV[‘HOME’]}/.chef/checksums” )

I can list nodes e.g… That works.
knife node list
Yay! it works

I cant list clients.
knife client list
ERROR: You authenticated successfully to
https://api.opscode.com/organizations/adhui as dev_tokyo_monitor but
you are not authorized for this action
Response: Merb::ControllerExceptions::Forbidden

On Wed, Jul 18, 2012 at 10:19 PM, Bryan McLellan btm@loftninjas.org wrote:

On Wed, Jul 18, 2012 at 10:01 AM, David Montgomery
davidmontgomery@gmail.com wrote:

In hosted chef, I went to clients and edited permissions for the
node. I gave all clients in groups to CRUD.I tried the individual
node but that did not help as well. I still get the error.
So…from hosted chef UI, for my monitoring server, what is the
proper way?

You can get support from Opscode for Hosted Chef at
http://www.opscode.com/support/.

What credentials are you using with knife? Are you using the node’s
client key, or your own?

It’d help if you provided steps to reproduce that showed what commands
you were running as well.

Bryan


#6

I’m guessing you’re using the wrong client key. /etc/chef/client.pem is
usually the client for the node rather than for your administrative user.
If you don’t already have the key for your user, you can log into the
webui and get one here https://www.opscode.com/account/password then put
that pem file in the knife.rb file as client_key.

Thanks,

Paul Mooring

On Wed, Jul 18, 2012 at 8:08 AM, David Montgomery <davidmontgomery@gmail.com

wrote:

Here is the knife file I use. I am using the nodes key and I have a
template for the below.

log_level :info
log_location STDOUT
node_name "<%= node.name %>"
client_key "/etc/chef/client.pem"
validation_client_name "mycomany-validator"
validation_key “#{current_dir}/mycomanyi-validator.pem”

chef_server_url "https://api.opscode.com/organizations/adhui"
cache_type 'BasicFile’
cache_options( :path => “#{ENV[‘HOME’]}/.chef/checksums” )

I can list nodes e.g… That works.
knife node list
Yay! it works

I cant list clients.
knife client list
ERROR: You authenticated successfully to
https://api.opscode.com/organizations/adhui as dev_tokyo_monitor but
you are not authorized for this action
Response: Merb::ControllerExceptions::Forbidden

On Wed, Jul 18, 2012 at 10:19 PM, Bryan McLellan btm@loftninjas.org
wrote:

On Wed, Jul 18, 2012 at 10:01 AM, David Montgomery
davidmontgomery@gmail.com wrote:

In hosted chef, I went to clients and edited permissions for the
node. I gave all clients in groups to CRUD.I tried the individual
node but that did not help as well. I still get the error.
So…from hosted chef UI, for my monitoring server, what is the
proper way?

You can get support from Opscode for Hosted Chef at
http://www.opscode.com/support/.

What credentials are you using with knife? Are you using the node’s
client key, or your own?

It’d help if you provided steps to reproduce that showed what commands
you were running as well.

Bryan


Paul Mooring
Systems Engineer - Customer Advocate
Opscode, Inc.

c: 480.332.0589
e: paul@opscode.com


#7

I think I misunderstood your problem, just adding list permissions to the
clients container and nodes container on the client you’re using should
allow you to list the clients. That won’t let you delete nodes or clients
though, for what you’re trying to accomplish (deleting any client and
node). You can create a group for this and give that group the proper
permissions on the clients and nodes container which will be inherited by
new nodes/clients, but you would need to use this
https://github.com/seth/knife-acl to set delete permissions on the
containers. The last option is to just make that client part of the users
group.

On Wed, Jul 18, 2012 at 8:44 AM, Paul Mooring paul@opscode.com wrote:

I’m guessing you’re using the wrong client key. /etc/chef/client.pem is
usually the client for the node rather than for your administrative user.
If you don’t already have the key for your user, you can log into the
webui and get one here https://www.opscode.com/account/password then put
that pem file in the knife.rb file as client_key.

Thanks,

Paul Mooring

On Wed, Jul 18, 2012 at 8:08 AM, David Montgomery <
davidmontgomery@gmail.com> wrote:

Here is the knife file I use. I am using the nodes key and I have a
template for the below.

log_level :info
log_location STDOUT
node_name "<%= node.name %>"
client_key "/etc/chef/client.pem"
validation_client_name "mycomany-validator"
validation_key “#{current_dir}/mycomanyi-validator.pem”

chef_server_url "https://api.opscode.com/organizations/adhui"
cache_type 'BasicFile’
cache_options( :path => “#{ENV[‘HOME’]}/.chef/checksums” )

I can list nodes e.g… That works.
knife node list
Yay! it works

I cant list clients.
knife client list
ERROR: You authenticated successfully to
https://api.opscode.com/organizations/adhui as dev_tokyo_monitor but
you are not authorized for this action
Response: Merb::ControllerExceptions::Forbidden

On Wed, Jul 18, 2012 at 10:19 PM, Bryan McLellan btm@loftninjas.org
wrote:

On Wed, Jul 18, 2012 at 10:01 AM, David Montgomery
davidmontgomery@gmail.com wrote:

In hosted chef, I went to clients and edited permissions for the
node. I gave all clients in groups to CRUD.I tried the individual
node but that did not help as well. I still get the error.
So…from hosted chef UI, for my monitoring server, what is the
proper way?

You can get support from Opscode for Hosted Chef at
http://www.opscode.com/support/.

What credentials are you using with knife? Are you using the node’s
client key, or your own?

It’d help if you provided steps to reproduce that showed what commands
you were running as well.

Bryan


Paul Mooring
Systems Engineer - Customer Advocate
Opscode, Inc.

c: 480.332.0589
e: paul@opscode.com


Paul Mooring
Systems Engineer - Customer Advocate
Opscode, Inc.

c: 480.332.0589
e: paul@opscode.com