- From: Noah Kantrowitz <
>
- To:
- Subject: [chef] Re: knide client delete leads to 403 "Forbidden" on Chef Server 12
- Date: Sun, 4 Jan 2015 15:02:58 -0800
On Jan 4, 2015, at 2:57 PM, Mark Selby
<
>
wrote:
>
I have recently upgraded from Chef open source server 11 to Chef Server 12
>
>
We rebuild many of our hosts regularly.
>
>
In the past we simply run a 'knife client delete <name>' and let the
>
validator recreate the client upon bootstrap. We leave the node intact and
>
it converges as per it's saved run_list.
>
>
Under chef 12 when we try and do the same thing we get
>
>
[2015-01-04T13:51:00-08:00] ERROR: 403 "Forbidden"
>
[2015-01-04T13:51:00-08:00] FATAL: Chef::Exceptions::ChildConvergeError:
>
Chef run process exited unsuccessfully (exit code 1)
>
>
It appears that the server does not like the new client key in the sense
>
that it is not associated with the old node.
>
>
Any ideas how to get around this issue or suggestions for further debugging.
This gets to some details about how the Chef ACL system works. Basically when
a new object is created, the client creating it gets special permissions so
the creator can write even if the default ACL would be read-only. This is how
a client can write to its own node object but not any others. When you leave
the existing node object, the new client only kind of gets those new
permissions. Parts of it should work since it should have the same name as
the old one, but there have been persistent issues like this due to old and
inconsistent code in places.
Short version: delete both the client and the node and use the -j option when
you re-bootstrap to pass in the old data.
--Noah
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
Archive powered by MHonArc 2.6.16.