Knife Upload Node Invalid Key Roles in Request Bod
Authentication, Authority¶
[edit on GitHub]
All communication with the Chef server must be authenticated using the Chef server API, which is a Residue API that allows requests to be made to the Chef server. Just authenticated requests will be authorized. Most of the time, and peculiarly when using knife, the chef-client, or the Chef server spider web interface, the utilise of the Chef server API is transparent. In some cases, the use of the Chef server API requires more than detail, such every bit when making the request in Red code, with a pocketknife plugin, or when using whorl.
Authentication¶
The hallmark process ensures the Chef server responds just to requests made by trusted users. Public key encryption is used by the Chef server. When a node and/or a workstation is configured to run the chef-client, both public and private keys are created. The public key is stored on the Chef server, while the private key is returned to the user for safe keeping. (The private fundamental is a .pem file located in the .chef directory or in /etc/chef .)
Both the chef-customer and knife apply the Chef server API when communicating with the Chef server. The chef-validator uses the Chef server API, but only during the offset chef-customer run on a node.
Each request to the Chef server from those executables sign a special group of HTTP headers with the private central. The Chef server so uses the public primal to verify the headers and verify the contents.
chef-validator¶
Every request made by the chef-client to the Chef server must exist an authenticated request using the Chef server API and a private key. When the chef-client makes a request to the Chef server, the chef-client authenticates each asking using a private cardinal located in /etc/chef/client.pem .
Notwithstanding, during the first chef-client run, this private central does not be. Instead, the chef-client will endeavour to apply the individual key assigned to the chef-validator, located in /etc/chef/validation.pem . (If, for any reason, the chef-validator is unable to make an authenticated asking to the Chef server, the initial chef-client run will neglect.)
During the initial chef-client run, the chef-client will register with the Chef server using the private primal assigned to the chef-validator, after which the chef-client volition obtain a customer.pem private key for all future authentication requests to the Chef server.
After the initial chef-client run has completed successfully, the chef-validator is no longer required and may exist deleted from the node. Use the delete_validation recipe constitute in the chef-client cookbook (https://github.com/chef-cookbooks/chef-customer) to remove the chef-validator.
During a chef-client Run¶
RSA public key-pairs are used to authenticate the chef-customer with the Chef server every time a chef-client needs admission to data that is stored on the Chef server. This prevents any node from accessing information that it shouldn't and it ensures that only nodes that are properly registered with the Chef server tin exist managed.
Knife¶
RSA public key-pairs are used to authenticate knife with the Chef server every time pocketknife attempts to access the Chef server. This ensures that each instance of knife is properly registered with the Chef server and that only trusted users tin make changes to the data.
knife tin can also use the knife exec subcommand to make specific, authenticated requests to the Chef server. knife plugins tin can likewise make authenticated requests to the Chef server by leveraging the knife exec subcommand.
API Requests¶
A pocketknife plugin is a fix of one (or more) subcommands that can be added to knife to back up additional functionality that is not built-in to the base set of knife subcommands. Many of the knife plugins are built by members of the Chef customs and several of them are built and maintained past Chef.
A knife plugin can be used to make authenticated API requests to the Chef server using the following methods:
| Method | Description |
|---|---|
rest.delete_rest | Use to delete an object from the Chef server. |
rest.get_rest | Employ to get the details of an object on the Chef server. |
rest.post_rest | Utilise to add together an object to the Chef server. |
rest.put_rest | Utilize to update an object on the Chef server. |
For example:
module MyCommands class MyNodeDelete < Chef :: Pocketknife #An implementation of pocketknife node delete banner 'knife my node delete [NODE_NAME]' def run if name_args . length < one show_usage ui . fatal ( "Yous must specify a node name." ) leave 1 cease nodename = name_args [ 0 ] api_endpoint = "nodes/ #{ nodename } " # Once more, we could just call rest.delete_rest nodey = rest . get_rest ( api_endpoint ) ui . confirm ( "Do y'all really desire to delete #{ nodey } " ) nodey . destroy end end end From the Web Interface¶
The Chef server user interface uses the Chef server API to perform nearly operations. This ensures that authentication requests to the Chef server are authorized. This authentication procedure is handled automatically and is not something that users of the hosted Chef server will demand to manage. For the on-premises Chef server, the authentication keys used by the spider web interface will need to be maintained by the individual administrators who are responsible for managing the server.
Other Options¶
The most common ways to interact with the Chef server using the Chef server API abstract the API from the user. That said, the Chef server API can be interacted with directly. The following sections describe a few of the ways that are available for doing that.
curlicue¶
An API request tin be fabricated using cURL, which is a Fustigate crush script that requires two utilities: awk and openssl. The following instance shows how an authenticated request can be fabricated using the Chef server API and curl:
#!/usr/bin/env fustigate _chef_dir () { # Helper function: # Recursive office that searches for chef configuration directory # It looks upward from the cwd until it hits /. If no directory is constitute, # ~/.chef is chosen if information technology exists # You could merely hard-lawmaking the path below if [ " $PWD " = "/" ] ; then if [ -d ".chef" ] ; then echo "/.chef" elif [ -d " $HOME /.chef" ] ; so echo " $HOME /.chef" fi return fi if [ -d '.chef' ] ; and then echo " ${ PWD } /.chef" else ( cd ..; _chef_dir) fi } _chomp () { # helper function to remove newlines awk '{printf "%s", $0}' } chef_api_request() { # This is the meat-and-potatoes, or rice-and-vegetables, your preference really. local method path trunk timestamp chef_server_url client_name hashed_body hashed_path local canonical_request headers auth_headers chef_server_url = "https://api.opscode.com/organizations/my_org" # '/organizations/ORG_NAME' is needed if echo $chef_server_url | grep -q "/organizations/" ; so endpoint =/organizations/${ chef_server_url #*/organizations/ }${ 2 %% \? * } else endpoint = ${ two %% \? * } fi path = ${ chef_server_url } $2 client_name = "chef_user" method = $1 body = $three hashed_path = $( echo -n " $endpoint " | openssl dgst -sha1 -binary | openssl enc -base64) hashed_body = $( echo -due north " $body " | openssl dgst -sha1 -binary | openssl enc -base64) timestamp = $(appointment -u "+%Y-%g-%dT%H:%Yard:%SZ" ) canonical_request = "Method: $method \nHashed Path: $hashed_path \nX-Ops-Content-Hash: $hashed_body \nX-Ops-Timestamp: $timestamp \nX-Ops-UserId: $client_name " headers = "-H 10-Ops-Timestamp: $timestamp \ -H 10-Ops-Userid: $client_name \ -H Ten-Chef-Version:0.10.iv \ -H Accept:application/json \ -H X-Ops-Content-Hash: $hashed_body \ -H Ten-Ops-Sign:version=i.0" auth_headers = $( printf " $canonical_request " | openssl rsautl -sign -inkey \ " $(_chef_dir) / ${ client_name } .pem" | openssl enc -base64 | _chomp | awk '{ll=int(length/threescore);i=0; \ while (i<=ll) {printf " -H X-Ops-Dominance-%s:%s", i+1, substr($0,i*60+one,60);i=i+one}}' ) case $method in Go) curl_command = "curl $headers $auth_headers $path " $curl_command ;; *) echo "Unknown Method. I only know: GET" >& 2 return 1 ;; esac } chef_api_request " $@ " Later on saving this shell script to a file named chef_api_request , use information technology similar to the following:
$ bash chef_api_request GET "/clients" PyChef¶
An API request tin exist fabricated using PyChef, which is a Python library that meets the Mixlib::Authentication requirements so that information technology tin easily collaborate with the Chef server. The following example shows how an authenticated request tin be fabricated using the Chef server API and PyChef:
from chef import autoconfigure , Node api = autoconfigure () n = Node ( 'web1' ) print n [ 'fqdn' ] n [ 'myapp' ][ 'version' ] = 'one.0' n . save () and the following instance shows how to make API calls directly:
from chef import autoconfigure api = autoconfigure () impress api . api_request ( 'Go' , '/clients' ) The previous examples assume that the current working directory is such that PyChef can discover a valid configuration file in the same manner as the chef-client or knife. For more than about PyChef, see: https://github.com/coderanger/pychef.
Cherry¶
On a system with the chef-customer installed, use Ruby to brand an authenticated request to the Chef server:
require 'chef/config' require 'chef/log' require 'chef/rest' chef_server_url = 'https://chefserver.com' client_name = 'clientname' signing_key_filename = '/path/to/pem/for/clientname' rest = Chef :: Residual . new ( chef_server_url , client_name , signing_key_filename ) puts rest . get_rest ( '/clients' ) or:
require 'mixlib/cli' crave 'chef' require 'chef/node' require 'chef/mixin/xml_escape' require 'json' config_file = 'c:/chef/client.rb' Chef :: Config . from_file ( config_file ) Chef :: Log . level = Chef :: Config [ :log_level ] def Usage () puts '/etc/chef/customer.rb' # The config file location, e.m. ~/dwelling/.chef/config.rb etc config_file = gets . chomp if ( ! File . exist? ( config_file )) puts 'config_file #{config_file} does non exist. Exiting.\northward' exit end STDOUT . puts <<- EOF Cull options east.thou. 1 i Display all nodes per environment 2 Display all nodes in detail (tin be slow if in that location a big number of nodes) nine Exit EOF terminate def ExecuteUserChoice () testoption = gets . chomp case testoption when '1' Execute ( method ( :DisplayNodesPerEnv )) when '2' Execute ( method ( :DisplayNodesDetail )) when '9' puts 'exit' else puts 'Unknown choice #{testoption}. Exiting\n' exit cease end def DisplayNodesPerEnv () Chef :: Environment . listing ( false ) . each do | envr | impress 'ENVIRONMENT: ' , envr [ 0 ] , '\n' Chef :: Node . list_by_environment ( envr [ 0 ] , imitation ) . each do | node_info | print '\tNODE: ' , node_info [ 0 ] , '\n' impress '\t\tURL: ' , node_info [ 1 ] , '\northward' stop end end def DisplayNodesDetail () Chef :: Node . list ( truthful ) . each do | node_array | node = node_array [ 1 ] print '#{node.name}\n' print '\t#{node[:fqdn]}\n' print '\t#{node[:kernel][:machine]}\n' print '\t#{node[:kernel][:os]}\northward' impress '\t#{node[:platform]}\n' print '\t#{node[:platform_version]}\n' impress '\t#{node.chef_environment}\n' impress '\t#{node.run_list.roles}\n' end end def Execute ( option ) brainstorm profilestart = Time . now selection . call () profileend = Fourth dimension . now timeofrun = profileend - profilestart print 'Time taken = #{timeofrun}' rescue Exception => ex print 'Error calling chef API' print ex . bulletin impress ex . backtrace . bring together ( '\n' ) end cease Usage () ExecuteUserChoice () Another way Ruby tin can be used with the Chef server API is to get objects from the Chef server, and so interact with the returned information using Scarlet methods. Whenever possible, the Chef server API volition return an object of the relevant type. The returned object is then bachelor to be called past other methods. For example, the api.go method can be used to return a node named foobar , so .destroy can be used to delete that node:
silly_node = api.get('/nodes/foobar') silly_node.destroy Debug Hallmark Bug¶
In some cases, the chef-customer may receive a 401 response to the hallmark request and a 403 response to an authority request. An authentication error error may wait like the following:
[Wed, 05 Oct 2011 xv:43:34 -0700] INFO: HTTP Request Returned 401 Unauthorized: Failed to authenticate as node_name. Ensure that your node_name and customer central are right. To debug authentication problems, determine which chef-client is attempting to authenticate. This is often constitute in the log messages for that chef-customer. Debug logging tin be enabled on a chef-client using the following control:
When debug logging is enabled, a log entry will look like the following:
[Wed, 05 Oct 2011 22:05:35 +0000] DEBUG: Signing the request as NODE_NAME
If the authentication request occurs during the initial chef-customer run, the result is most likely with the private key.
If the authentication is happening on the node, at that place are a number of common causes:
- The
client.pemfile is wrong. This tin can be stock-still past deleting theclient.pemfile and re-running the chef-client. When the chef-client re-runs, it volition re-attempt to register with the Chef server and generate the correct key. - A
node_nameis unlike from the i used during the initial chef-client run. This can happen for a number of reasons. For instance, if the customer.rb file does not specify the correct node name and the host proper name has recently inverse. This upshot can be resolved by explicitly setting the node name in the client.rb file or by using the-Due northoption for the chef-client executable. - The system clock has drifted from the actual fourth dimension by more xv minutes. This can exist stock-still by syncing the clock with an Network Fourth dimension Protocol (NTP) server.
Authority¶
The Chef server uses a function-based access command (RBAC) model to ensure that users may simply perform authorized actions.
Chef Server¶
The Chef server uses role-based access control (RBAC) to restrict access to objects—nodes, environments, roles, data bags, cookbooks, and so on. This ensures that merely authorized user and/or chef-customer requests to the Chef server are allowed. Admission to objects on the Chef server is fine-grained, assuasive access to exist defined by object type, object, group, user, and organization. The Chef server uses permissions to define how a user may interact with an object, after they accept been authorized to exercise and so.
The Chef server uses organizations, groups, and users to ascertain function-based admission command:
| Characteristic | Description |
|---|---|
| | An organization is the summit-level entity for role-based admission control in the Chef server. Each organisation contains the default groups ( admins , clients , and users , plus billing_admins for the hosted Chef server), at to the lowest degree ane user and at to the lowest degree one node (on which the chef-client is installed). The Chef server supports multiple organizations. The Chef server includes a unmarried default system that is defined during setup. Additional organizations can exist created after the initial setup and configuration of the Chef server. |
| | A group is used to define access to object types and objects in the Chef server and also to assign permissions that decide what types of tasks are available to members of that group who are authorized to perform them. Groups are configured per-organization. Individual users who are members of a group will inherit the permissions assigned to the grouping. The Chef server includes the following default groups: |
| | A user is whatever non-ambassador human who will manage data that is uploaded to the Chef server from a workstation or who will log on to the Chef direction panel web user interface. The Chef server includes a unmarried default user that is defined during setup and is automatically assigned to the admins grouping. |
| | A client is an actor that has permission to access the Chef server. A client is virtually often a node (on which the chef-client runs), simply is also a workstation (on which knife runs), or some other auto that is configured to use the Chef server API. Each request to the Chef server that is made by a client uses a private key for authentication that must be authorized by the public key on the Chef server. |
When a user makes a request to the Chef server using the Chef server API, permission to perform that action is determined by the following procedure:
- Cheque if the user has permission to the object blazon
- If no, recursively check if the user is a member of a security group that has permission to that object
- If yes, allow the user to perform the action
Permissions are managed using the Chef direction console add-on in the Chef server web user interface.
Object Permissions¶
The Chef server includes the following object permissions:
| Permission | Description |
|---|---|
| Delete | Use the Delete permission to define which users and groups may delete an object. This permission is required for whatsoever user who uses the pocketknife [object] delete [object_name] statement to interact with objects on the Chef server. |
| Grant | Use the Grant permission to ascertain which users and groups may configure permissions on an object. This permission is required for any user who configures permissions using the Administration tab in the Chef management console. |
| Read | Use the Read permission to define which users and groups may view the details of an object. This permission is required for whatsoever user who uses the pocketknife [object] evidence [object_name] argument to interact with objects on the Chef server. |
| Update | Apply the Update permission to define which users and groups may edit the details of an object. This permission is required for any user who uses the knife [object] edit [object_name] argument to collaborate with objects on the Chef server and for whatever chef-client to relieve node information to the Chef server at the decision of a chef-client run. |
Global Permissions¶
The Chef server includes the following global permissions:
| Permission | Description |
|---|---|
| Create | Utilise the Create global permission to define which users and groups may create the following server object types: cookbooks, data bags, environments, nodes, roles, and tags. This permission is required for any user who uses the knife [object] create argument to interact with objects on the Chef server. |
| List | Use the List global permission to define which users and groups may view the following server object types: cookbooks, information bags, environments, nodes, roles, and tags. This permission is required for any user who uses the knife [object] list argument to interact with objects on the Chef server. |
These permissions set the default permissions for the following Chef server object types: clients, cookbooks, data bags, environments, groups, nodes, roles, and sandboxes.
Customer Key Permissions¶
Notation
This is just necessary afterward migrating a client from 1 Chef server to some other. Permissions must be reset for client keys after the migration.
A client is an actor that has permission to admission the Chef server. A client is most frequently a node (on which the chef-client runs), but is besides a workstation (on which knife runs), or another machine that is configured to utilise the Chef server API. Each request to the Chef server that is made by a client uses a individual key for authentication that must exist authorized by the public fundamental on the Chef server.
Keys should take DELETE , GRANT , READ and UPDATE permissions.
Use the following lawmaking to set the correct permissions:
#!/usr/bin/env ruby require 'chef/knife' crave 'chef/residue' Chef :: Config . from_file ( File . join ( Chef :: Knife . chef_config_dir , 'config.rb' )) residual = Chef :: Residual . new ( Chef :: Config [ :chef_server_url ] ) Chef :: Node . list . each practice | node | %w{read update delete grant} . each practise | perm | ace = residual . become ( "nodes/ #{ node [ 0 ] } /_acl" ) [ perm ] ace [ 'actors' ] << node [ 0 ] unless ace [ 'actors' ]. include? ( node [ 0 ] ) residuum . put ( "nodes/ #{ node [ 0 ] } /_acl/ #{ perm } " , perm => ace ) puts "Client \" #{ node [ 0 ] } \" granted \" #{ perm } \" admission on node \" #{ node [ 0 ] } \" " end end Salve information technology equally a Ruby script— chef_server_permissions.rb , for instance—in the .chef/scripts directory located in the chef-repo, and then run a pocketknife command similar to:
$ knife exec chef_server_permissions.rb Default Groups¶
The Chef server includes the following default groups:
| Grouping | Description |
|---|---|
admins | The admins grouping defines the list of users who have authoritative rights to all objects and object types for a single organization. |
billing_admins | The billing_admins group defines the listing of users who accept permission to manage billing information. This permission exists merely for the hosted Chef server. |
clients | The clients group defines the list of nodes on which a chef-client is installed and under direction by Chef. In general, call up of this permission as "all of the non-human actors—the chef-client, in nigh every example—that go information from, and/or upload data to, the Chef server". Newly-created chef-customer instances are added to this group automatically. |
public_key_read_access | The public_key_read_access group defines which users and clients take read permissions to primal-related endpoints in the Chef server API. |
users | The users group defines the list of users who use knife and the Chef direction console to interact with objects and object types. In general, call up of this permission every bit "all of the non-admin homo actors who work with data that is uploaded to and/or downloaded from the Chef server". |
Multiple Organizations¶
A unmarried instance of the Chef server can support many organizations. Each organisation has a unique set of groups and users. Each organization manages a unique prepare of nodes, on which a chef-client is installed and configured so that information technology may interact with a single organization on the Chef server.
A user may belong to multiple organizations nether the post-obit atmospheric condition:
- Role-based access control is configured per-organisation
- For a single user to interact with the Chef server using knife from the same chef-repo, that user may need to edit their config.rb file prior to that interaction
Using multiple organizations within the Chef server ensures that the same toolset, coding patterns and practices, physical hardware, and product support effort is being practical across the entire company, even when:
- Multiple product groups must be supported—each product grouping tin accept its own security requirements, schedule, and goals
- Updates occur on different schedules—the nodes in i organisation are managed completely independently from the nodes in another
- Individual teams take competing needs for object and object types—data numberless, environments, roles, and cookbooks are unique to each organization, even if they share the aforementioned proper name
Many Users, Same Repo¶
The config.rb configuration can include arbitrary Crimson code to extend configuration across static values. This can be used to load environmental variables from the workstation. This makes information technology possible to write a single config.rb file that tin can be used by all users within your organization. This unmarried file tin can as well be checked into your chef-repo, allowing users to load different config.rb files based on which chef-repo they execute the commands from. This can be especially useful when each chef-repo points to a different chef server or organization.
Example config.rb:
current_dir = File.dirname(__FILE__) user = ENV['OPSCODE_USER'] || ENV['USER'] node_name user client_key "#{ENV['HOME']}/chef-repo/.chef/#{user}.pem" validation_client_name "#{ENV['ORGNAME']}-validator" validation_key "#{ENV['Habitation']}/chef-repo/.chef/#{ENV['ORGNAME']}-validator.pem" chef_server_url "https://api.opscode.com/organizations/#{ENV['ORGNAME']}" syntax_check_cache_path "#{ENV['Abode']}/chef-repo/.chef/syntax_check_cache" cookbook_path ["#{current_dir}/../cookbooks"] cookbook_copyright "Your Company, Inc." cookbook_license "apachev2" cookbook_email "cookbooks@yourcompany.com" # Amazon AWS knife[:aws_access_key_id] = ENV['AWS_ACCESS_KEY_ID'] knife[:aws_secret_access_key] = ENV['AWS_SECRET_ACCESS_KEY'] Chef server API¶
The Chef server API is a REST API that provides admission to objects on the Chef server, including nodes, environments, roles, cookbooks (and cookbook versions), and to manage an API client list and the associated RSA public key-pairs.
Endpoints¶
Each organisation-specific authentication request must include /organizations/Proper name as function of the name for the endpoint. For example, the full endpoint for getting a list of roles:
Become /organizations/Name/roles where ORG_NAME is the name of the organization.
For more information about the Chef server API endpoints run across the Chef server API documentation.
Source: http://man.hubwiz.com/docset/Chef.docset/Contents/Resources/Documents/docs.chef.io/auth.html
0 Response to "Knife Upload Node Invalid Key Roles in Request Bod"
Enregistrer un commentaire