can't bootstrap node when user is in admin group

1
votes

I am a server admin on a chef-server, added to an organization, and my user is added to the admins group - I used to be able to run a bootstrap command on machine towards a windows machine ala - 

knife bootstrap windows winrm <ip> -x <user> -P <pass> -r <run_list> -N <node_name>

Whatever I do now - I met with "authenticated successfully to as but you are not authorized. missing create permission"

Before anyone says you need to manually edit and submit the acl files for containers etc, I have been doing that for the past 4 hours.

I have verified my knife.rb and that no other config exists, as well as explicitly specifying it as part of the command. I have verified my user on the server as admin and as part of the organization. I have verified membership of the admins group, as well as admin group belonging to all the containers, and objects in the chef repo.

I have also created a new group called "everything" to which I granted all access to every object, and added myself alone to that group. I've also tried adding a client the permitted clients to edit these containers.

Usually when I would see this message it was because my node-name was not correct, or that the path to my pem file was incorrect. Not the case here, I have also tried to create a new pem and point my knife.rb to that -- as well as create a brand new user, assign admin, assign organization, and add to admins group. But to no luck.

I noticed on the bootstrap command that the client was created (via knife client list), but the node was not (also via knife node list). This made me think that the permissions missing were on the node object. Sadly, everything checks out there -- as the groups are added, and the users are added to these groups. I have also downloaded the current state of the chef-server to ensure I didn't have stale data confusing me.

I've also run chef-server-ctl test on the server (just in case) and that did not report anything abnormal.

I've also traced through a chef-client -l debug, but I didn't see any issues or errors there.

Seemingly nothing has changed with any permissions, acls, or groups. Why is it that I am not able to bootstrap anymore? Why is it that chef reports I am missing the create permission even though I'm admin on every object that exists?

For completeness: here's the log https://gist.github.com/marseille/9811672b10bb613aa75e54f9f5e9aa44

2
chef-infra

2 Answers

0
votes

The admins group should default to having the correct perms, but you can check manually with knife-acl (warning: this plugin allows you to break your Chef Server if you do the wrong thing). Check specifically on the clients container object, you're looking for both read and create perms.

0
votes

The short answer

The Clients group must have read+create permission on the nodes container

the explanation

Bootstrapping with a validator functioned correctly, yet bootstrapping with user credentials did not.

I knew there was an issue with creating nodes, since knife node list did not list the created node (after a bootstrap attempt). After hitting my head on the keyboard, I found there was a verbose logging option hidden away. chef-server-ctl tail --

Inspecting this, I was able to find that the API requests for the client create were signed as my user. The node API request however, was signed by the newly created node. Which, doesn't have any permissions. Even if you added a client+node combo and assigned proper permissions, it would be blown away when using user credentials on bootstrap.

I thought specifying my own user as the node name , or specifying the API user (--user) might rectify this. It did not. Inspecting the acls before and after a bootstrap revealed that the clients were stripped from all groups and actors as a result of being deleted.

Therefore -- a method for associating a brand new client with permissions to create nodes was required. Enter the clients group. Chef automatically places any newly created client in the clients group -- after the clients group was added to READ+CREATE ACL of the nodes container, all permissions issues went away.

In summary, bootstrapping with a validator worked as it did not overwrite a client or a node, preserving permissions. bootstrapping with user credentials did not work as it replaced both the client and the node.

The message

"ERROR: You authenticated successfully to https://'chef-server-url' as 'user' but you are not authorized for this action. Response: missing create permission"

Is wildly inaccurate as it never was a problem with my user. Actually a problem with the client. As can be observed from the "missing create permission". This message is extremely misleading.