Re: Admin permissions on chef-server:4000

[Michal Frackowiak <michalf@wikidot.com>]

OK, so do you think this would work as a general-purpose security  
measure, for both chef-clients and admin access?

1. Set up a proxy server with basic auth + ssl (nginx or apache),  
passing to chef-server:4000 and 4001
2. Set up clients with
registration_url        "https://user:password@proxied-chef-server:2000";
openid_url              "https://user:password@proxied-chef-server:2001";
...
3. use https://proxied-chef-server:2000 for web ui access too

This way you could have secure access without setting up VPN  
configuration. And, you could safely run chef between networks. Would  
this work with the OpenID authentication? (Would be nice to know  
before this is not going to work before we actually start  
experimenting).
Are there any reasons NOT to do this?

Thanks,
Michal

On Mar 16, 2009, at 3:16 PM, Aric Gardner wrote:

> I meant to put up instructions for using apache's htaccess and  
> proxypass on
> the opscode wiki.
> As thats what I did.
>
> Perhaps I'll do that today, I have my notes and such.
>
> first enable mod proxy with a2enmod proxy
> then edit proxy.conf as follows
>
> <IfModule mod_proxy.c>
>        #turning ProxyRequests on and allowing proxying from all may  
> allow
>        #spammers to use your proxy to send email.
>
>        ProxyRequests Off
>        ProxyVia Full
>
>        <Proxy 127.0.0.1:80>
>              #  AddDefaultCharset off
>                Order deny,allow
>                Deny from all
>                Allow from localhost
>
>        </Proxy>
> </IfModule>
>
> and then in your sites enabled.
>
>  <location />
>
>   AuthName "Chef-Server access"
>   AuthType Basic
>   AuthName "Password Required"
>   AuthUserFile /root/password.file
>   Require valid-user
>
>  ProxyPass  http://localhost:4000/
>  ProxyPassReverse  http://localhost:4000/
>  ProxyPass  http://localhost:4001/
>  ProxyPassReverse  http://localhost:4001/
> </location>
>
> -Aric
>
>
> On Mon, 16 Mar 2009 21:34:58 +1300, AJ Christensen  
> <aj@junglist.gen.nz>
> wrote:
> > Hiya!
> >
> > You could for a start reverse proxy into the chef-server and restrict
> > particular URL's with HTTP basic or otherwise authentication.
> >
> > opscode/master currently has the functionality to restrict  
> > permissions
> > to specific openID's and specific openID relaying parties @
> http://github.com/opscode/chef/blob/34bc1e8280c63931b50dbb42ebb27fdbfe1f97c1/chef-server-slice/app/controllers/openid_consumer.rb#L115
> > You may wish to build 0.6.0 gems and roll that out.
> >
> > Regards,
> >
> > AJ
> >
> > On 16/03/2009, at 9:27 PM, Michal Frackowiak wrote:
> >
> > > Hi,
> > >
> > > we have a successfully experimenting with chef-server + clients
> > > setup, but still cannot figure out the permission settings.
> > >
> > > The problem is that when you go to you
> > http://chef-server.example.com:4000
> > > within the browser and log in using OpenID (using any external
> > > identity provider), you _always_ get admin permissions.
> > >
> > > We are running chef on a EC2 + external chef-server (+ monitoring
> > > etc) hybrid network, without any VPN, and wanted to run chef-server
> > > on a public interface.
> > >
> > > From what I can see we could restrict access to the chef-server,
> > > either by setting up a VPN network, or by limiting access in any
> > > other way. But perhaps there is a better way? Is it documented?
> > >
> > > Thanks,
> > > Michal
> > >
> > > ---------------
> > > Michal Frackowiak
> > > http://michalfrackowiak.com



---------------
Michal Frackowiak
http://michalfrackowiak.com