- From: Steven Danna <
>
- To: "
" <
>
- Subject: [chef] Re: Forbidden 403 after adding nodes on Chef 12
- Date: Wed, 26 Aug 2015 21:53:08 +0100
Hi Doug,
Thanks for you email. Some recent changes were made to knife-acl to
try to prevent users from accidentally breaking their Chef
organization. But, it appears we were over-zealous and prevented this
use case. This use case is important so we'll look into fixing it so
that it is possible.
Until it is fixed, you can still fix the permissions on a node by
using `knife edit /acls/nodes/NODENAME.json`.
>
It would seem that bootstrap is doing something magical that 'knife node
>
from file' is not.
`knife node from file` is creating the node as your user. By default
the creator of an object gets all permissions on that object. The
`bootstrap` command creates the client first and then the client is
used to create the node object. Since the client creates the node
object it gets all permissions on that object.
>
However, I'd prefer not to use bootstrap as this needs to work with
>
autoscaling groups.
Without knowing the details of what your autoscaling group needs to
do, I can't give specific advice. But many autoscaling
implementations use the validator-based bootstrapping with custom node
json fed in via user-data. This doesn't require pre-creating the node
object so the client will end up with the correct permissions. The
custom node json is passed in on the first chef-client run via the
`-j` flag.
I hope this helps.
Cheers,
Steven
On Tue, Aug 25, 2015 at 7:20 PM, Doug Garstang
<
>
wrote:
>
Running chef client in debug mode shows this:
>
>
Initiating PUT to
>
https://chef-008.dev.foobar.com/organizations/foobar/nodes/dt-ac8c940d.dev.foobar.com
>
...
>
HTTP 1.1 403 Forbidden
>
>
How do I go about fixing this?
>
>
I'm simply adding my node with:
>
knife node from file dt-ac8c940d.dev.foobar.com.json
>
>
and then running the chef-client.
>
>
This thread seems to be related:
>
https://github.com/chef/chef-server/issues/63
>
>
However, attempting to use the suggested:
>
knife acl add nodes dt-ac8c940d.dev.foobar.com update client
>
dt-ac8c940d.dev.foobar.com
>
>
results in:
>
FATAL: ERROR: To enforce best practice, knife-acl can only add a group to an
>
ACL.
>
FATAL: See the knife-acl README for more information.
>
>
I've reproduced this multiple times after deleting both the node and the
>
client and running the knife node from file ... command again.
>
>
I've also tried running knife bootstrap, and the problem disappears. It
>
would seem that bootstrap is doing something magical that 'knife node from
>
file' is not. However, I'd prefer not to use bootstrap as this needs to work
>
with autoscaling groups.
>
>
Thanks,
Archive powered by MHonArc 2.6.16.