[chef] Re: Re: Re: Re: Chef12: knife user show to non-admin users

[Steven Danna < >]

Hi,

> Just to clarify: The group 'acme_global_admins' has the same privileges than
> the 'admin' default group?

No, apologies if this was unclear.  The ORGNAME_global_admins group,
as far as I know, only appears in the ACL of user's who have been
associated to ORGNAME.  It does not, by default, grant members any
other permissions.  The admins group is a member of the
ORGNAME_global_admins group specifically for the purpose of getting
permission on the global user objects for members of the org.  Perhaps
this will help:

ORGNAME_global_admins group --has--> Permission on user objects

admin --has--> permission on many local organization objects
          --is a member of --> ORGNAME_global_admins group

> Because if I just put the user in admin group, the 'knife user show' works,
> and so he is able to use 'knife vault' using the option:

Correct, if you put a user in the admin group, they will be able to
see the keys of all other users in that org by virtue of the fact that
the admin group in ORGNAME is a member of the special
ORGNAME_global_admins group.  Of course, any user in the admin group
gets the permissions associated with the admin group.

> And to read the user's public key, do we have some easier and way? :)

Not that I know of.

Cheers,

Steven