The new global group, server-admins
, was released in Chef Server 12.4.1. This group improves your ability to customize permissions that affect user management in your Chef Server.
Previously, there were only two types of users, regular and super. The server-admins
group adds another possibility. It represents a third class of users who need permissions that are useful for the day-to-day administration of a Chef Server, but who don’t need to be superusers.
Members of the server-admins group have CRUD (create, read, update, delete) access on all users except the superuser. In other words, there are expanded options for managing users and the knife user
command regains its usefulness. The members of the group are controlled through a new set of chef-server-ctl
commands.
Let’s dive in.
Return to Form for knife user
Let’s say you have a Chef server with some users:
$ chef-server-ctl user-list
pivotal # superuser
user1
user2
user3
user4
user5
(In this example, we will use knife as user1
.) Before we make any changes,
let’s use knife
to try to do some basic user management (make sure you’re using a
recent version of knife and your chef_server_url
points at your server root and not an organization):
$ knife user list -c ~/.chef/user1.rb
ERROR: You authenticated successfully as user1 but you are not authorized for this action
Response: Missing read permission
By default, non-superusers only have permissions that pertain to themselves because users are global to orgs. In general, this division gives a nice separation of concerns but it’s not very flexible.
Right now, user1
is just a normal user without any special permissions or modifications, but we want user1
to be able to make changes to other users. This is where server-admins
comes in.
Log in to the Chef Server and run:
$ chef-server-ctl grant-server-admin-permissions user1
User user1 was added to server-admins.
This user can now list, read, and create users (even for orgs they are not members of) for this Chef Server.
Now, user1
tries the knife command again:
$ knife user list -c ~/.chef/user1.rb
pivotal
user1
user2
user3
user4
user5
Because user1
is a member of server-admins
, the knife user
subcommand is now functional in Chef Server 12! Our user1
can even create, edit, and delete other users via knife. For example:
$ knife user edit user2 -c ~/.chef/user1.rb
... (editor pops up)
Saved user[user2].
Remember, though, server-admins
don’t have access to the superuser (pivotal)
so they can’t break the Chef Server (beyond deleting some important user)!
$ knife user delete pivotal -c ~/.chef/user1.rb
ERROR: You authenticated successfully as user1 but you are not authorized for this action
Response: missing read permission
As you can see, the new group is very useful in the day-to-day management of a Chef Server.
If we want to remove the user1
special privileges, we simply log on to the Chef Server and run:
$ chef-server-ctl list-server-admins
pivotal
user1
$ chef-server-ctl remove-server-admin-permissions user1
User user1 was removed from server-admins.
This user can no longer list, read, and create users for this Chef Server except for where they have default permissions (such as within an org).
$ chef-server-ctl list-server-admins
pivotal
Now, if user1 tries to use knife user
:
$ knife user list -c ~/.chef/user1.rb
ERROR: You authenticated successfully as user1 but you are not authorized for this action
Response: missing read permission
Bigger Plans
Long term, we’re planning to expand the permissions to server-admins
, so
keep that in mind as you add users to that group. So far, the only plans are
to add organization CRUD permissions but we’ll see what the future holds. This is the first step towards more flexible, powerful permissions in the Chef server!
For a more technical overview of server-admins
, see the documentation here.
Chef Server 12.4.1 can be downloaded here.