Allowing a Chef node to upload cookbooks

8
votes

I'm trying to get our CI machine (running Teamcity) to upload and promote Chef cookbooks once it's finished all of the tests, to make it a proper part of our deployment pipeline.

However, the client is not authorized to upload cookbooks, but I can't figure out how to tweak the ACL settings to make it work.

$ sudo bundle exec knife spork upload teamcity --environment production
ERROR: You authenticated successfully to https://api.opscode.com/organizations/<my-org> as ci but you are not authorized for this action 
Response:  missing create permission

I've tried (but failed with the same error):

  1. Giving the ci client read permissions in the Opscode admin.
  2. Using the validator user to upload the cookbooks.
  3. Doing a non-Spork upload (sudo bundle exec knife upload cookbooks/teamcity), but failing with a 403

I've also tried just listing the clients (sudo bundle exec knife client list), but that fails with Response: missing create permission.

The client and validator keys are located in /etc/chef, but I have a Knife config in <repo-path>/.chef/knife.rb (I'm trying to upload from <repo-path>).

I'm guessing there's some kind of permission that I need to set, but after having poked around in both the old and new Opscode Management interface, I'm out of clues.

What gives?

NOTE: We're using the hosted-by-Opscode Enterprise Chef version.

2
chef-infraknife

2 Answers

6
votes

According to the Chef support, the preferred way of doing this is to create a new User and use it to interact with the Chef Server from the CI node:

A User is more properly termed "Any user of the Chef Server API that is not a node running the chef-client program"

If you would like to avoid the above problem of having to assign Admin rights to a client, you can create a new User that will be used for doing uploads from the build server. All Users are allowed to upload cookbooks without needing to be members of the Admins group.

So, to sum things up:

  1. Create a new User in the Opscode Admin
  2. Make the user's key (.pem) available on the CI node.
  3. Ensure that the user from (1) is used in all knife commands (see --user and --key Knife options), e.g. knife upload cookbook <name> --user ci_user --key .chef/ci_user.pem
2
votes

You cannot use the validator client to upload cookbooks. This is a special client that is only able to register new (non-admin) clients.

In order to upload cookbooks, the client used by your CI has to have admin privileges (or need cookbook upload privileges, if there is such in Enterprise Chef).

You can either make the client used by the node an admin, or just create another client and configure this for use with knife (don't point it to /etc/chef/client.pem, but to somewhere else).

Disclaimer: I have only little knowledge about Enterprise Chef, but I guess it doesn't differ in this way.