[chef] Re: what to do if object (cookbook here) has empty list of permissions

[Mark Anderson < >]

Hi there. Are you running Chef Server 12? If so, I have just open sourced a tool 'fixie' (https://github.com/chef/fixie) to help with this sort of thing. I expect we will be shipping this with a future version of CS 12. 

This is very preliminary, and the tool has many, many sharp edges, but it is hopefully less painful than raw sql editing. The usual disclaimer of use at your own risk, etc applies. 

Also, for ACL editing, I'd use the knife acl plugin (https://github.com/chef/knife-acl) first, and fixie only if that tool can't help you; the knife ACL tool uses the API which is safer and fully supported.

But in your case, I think this tool will be your best option. There are getting started instructions in the repo on setting things up; you need to install fixie on your chef server, and on the backend/primary in a tiered/ha configuration.

In your case, I'd copy any permissions from the cookbooks container to the apache cookbook; the permissions on the cookbook should be a superset of the container permissions.

For example if I wanted to fix or look at the permissions for the apache2 cookbook

fixie:0 > ORGS["acme"].cookbooks['apache2'].acl

{"create"=>{"actors"=>[[:global, "pivotal"], [:global, "coyote"]], "groups"=>[["acme", "admins"], ["acme", "users"]]}, "read"=>{"actors"=>[[:global, "pivotal"], [:global, "coyote"]], "groups"=>[["acme", "admins"], ["acme", "clients"], ["acme", "users"]]}, "update"=>{"actors"=>[[:global, "pivotal"], [:global, "coyote"]], "groups"=>[["acme", "admins"], ["acme", "users"]]}, "delete"=>{"actors"=>[[:global, "pivotal"], [:global, "coyote"]], "groups"=>[["acme", "admins"], ["acme", "users"]]}, "grant"=>{"actors"=>[[:global, "pivotal"], [:global, "coyote"]], "groups"=>[["acme", "admins"]]}}

Compare it to the container:

fixie:0 >ORGS['acme'].containers['cookbooks'].acl

{"create"=>{"actors"=>[[:global, "pivotal"]], "groups"=>[["acme", "admins"], ["acme", "users"]]}, "read"=>{"actors"=>[[:global, "pivotal"]], "groups"=>[["acme", "admins"], ["acme", "clients"], ["acme", "users"]]}, "update"=>{"actors"=>[[:global, "pivotal"]], "groups"=>[["acme", "admins"], ["acme", "users"]]}, "delete"=>{"actors"=>[[:global, "pivotal"]], "groups"=>[["acme", "admins"], ["acme", "users"]]}, "grant"=>{"actors"=>[[:global, "pivotal"]], "groups"=>[["acme", "admins"]]}}

You most likely want to make sure that the cookbook permissions are a superset of the container permissions; the creating user should be listed as well (e.g. here the creating user is 'coyote', and pivotal is the 'superuser')

Adding a missing user to the read ace

fixie:0 > ORGS["acme"].cookbooks['apache2'].ace_add(:read, USERS['pivotal'])

Adding a missing group to the read ace

fixie:0 > ORGS["acme"].cookbooks['apache2'].ace_add(:read, GROUPS['admins'])

Hopefully this helps you out. And of course pull requests and feedback is always welcome.

On Wed, Feb 11, 2015 at 1:28 AM, Александр Никифоров < " target="_blank"> > wrote:

Hello everyone.

I have a cookbook with which I can't do any operation. Nor delete nor update or anything else. Even though I'm using client from admins group in my knife.rb. I don't have any problem with any other object.

After some research it looks like this particular cookbook has empty list of permissions. So I have no rights for it even as admin.

$ knife cookbook show testa 0.1.0

ERROR: You authenticated successfully to https://chef/organizations/ola as admin but you are not authorized for this action

Response:  missing read permission

$ knife show /acls/cookbooks/testa.json

ERROR: Chef::ChefFS::FileSystem::OperationFailedError: HTTP error reading: 403 "Forbidden"

I tried to use user pivotal as client (from advice on irc channel) from the server itself but got the same result.

Should I directly edit something in postgresql db to avoid this misbehavior ?

--

Mark Anderson - Community Engineering

mark " style="color:rgb(105,117,130)" target="_blank">@chef.io