- From: Noah Kantrowitz <
>
- To:
- Subject: [chef] Re: How to modify path used in signature
- Date: Sat, 19 Jul 2014 16:38:10 -0700
On Jul 19, 2014, at 4:32 PM, Ameir Abdeldayem
<
>
wrote:
>
Hello,
>
>
I work at a big company with several different ops teams. For the most
>
part, each ops team maintains its own open-source Chef server.
>
>
I'm looking into the feasibility of mimicking the Hosted Chef style of
>
paths, e.g. /organizations/opsteam1. So, for a node list from knife, the
>
request would look like 'GET /organizations/opsteam1/nodes'.
>
>
If I put this behind a proxy and rewrite the path to just '/nodes', I get a
>
401. After looking at the auth page at http://docs.opscode.com/auth.html, ;
>
that makes sense, since the hashed path is part of the signed request.
>
>
In order for this to work, the client needs to sign the request with
>
'/nodes' as the path, even if the target path differs.
>
>
I know I'll likely need to override
>
https://github.com/opscode/mixlib-authentication/blob/a32e96a6a8cd53e2ff2a775ef0f757550289f89b/lib/mixlib/authentication/signedheaderauth.rb#L119
>
in both knife and chef-client to achieve what I'm looking for. I don't
>
mind requiring that folks install a knife plugin or a gem for this to work.
>
>
Could you give me direction on how to best achieve this?
Best? Purchase an Enterprise Chef license. While you might be able to hack
this together, its going to be both highly insecure (no audit records, etc)
and very breakable.
--Noah
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
Archive powered by MHonArc 2.6.16.