[chef] Re: "knife user" vs "knife client"

[Daniel DeLeo < >]

On Friday, June 21, 2013 at 4:15 AM, Maciej Pasternacki wrote:

Hi,

I'm bootstrapping a Chef server 11 for the first time, and I'm a bit confused by the distinction of "knife user" vs "knife client".

I don't want to use Chef server's web UI (at least for now), and I don't want the users to have any passwords at all (API is authenticated by keys; all web panels are protected by SSO). All the setup instructions use Web UI, and `knife client create` requires me to provide a password.

Is that a mistype? I don't see how  `knife client create` would require a password...

 

As far as I understand, for API access `knife client create --admin` is sufficient. Am I right, or is there something I'm missing?

For now, users and clients are equivalent, except that users have passwords and clients don't. In the far future (e.g., Chef 12) that *could* change, if there's reason to do so.

 

Are users created with `knife user create` relevant anywhere else than web UI and chef-vault?

Is it possible to create a user without a valid password, so that it's not possible to authenticate using password?

The existing documentation doesn't really specify what a 'user' actually is, it seems to be just a dump of `knife user --help`.

Users and clients are both "identities" that have a key pair. Users also have a password. In the commercial versions of Chef where you have multi-tennancy, users are global, while clients are scoped to organizations. In the OSS server, there is no multi-tennancy so that distinction doesn't matter.

 

Thanks,

-- Maciej

Anyway, you can totally use Chef just fine for now without setting up any users, as long as you're fine with the fact that you're doing things in a non-standard way, so documented procedures might not work correctly. Also, if some API operations are restricted to users (hypothetical example: uploading cookbooks or deleting things) in a future update, you'll have a bit of extra work to do when upgrading.

-- 

Daniel DeLeo