0

While setting up the icinga2 chef cookbook for my own personal use (specifically around the pki-tickets generation for the icinga2 remote API,) I have spent a lot of time looking for a way to enable admin on a client, as the data bag documentation requires.

Altering data bags from the node when using the open source Chef server requires the node’s API client to be granted admin privileges. In most cases, this is not advisable.

However, I'm not able to set an admin client when I edit the json through knife client edit. I edit the json, changing "admin": true and save it. knife reports that it's updated, but a knife client show shows that admin is still false. Additionally, I find conflicting information in the knife client documentation.

With regards to the -a --admin option creating a client:

This option only works when used with the open source Chef server and will have no effect when used with Enterprise Chef or Chef server 12.x.

How do I enable edit/creation of databags/databag entries from a recipe?

BeepDog
  • 5,016
  • 2
  • 24
  • 33

1 Answers1

0

You would use the Chef Server ACLs system: https://docs.chef.io/auth.html#authorization

You can either edit those via the Manage web UI or the knife-acl CLI.

Be aware of the security ramifications and general complexities of this approach before you proceed though.

coderanger
  • 52,400
  • 4
  • 52
  • 75
  • by knife-acl, you mean this: https://github.com/chef/knife-acl ? Would you be willing to attach a screenshot, or a url path to the Manage Web ui part? – BeepDog May 05 '17 at 04:18
  • As well, could you explain in a bit more detail how I use knife-acl to enable a specific client to access a databag? The github documentation is over my head. – BeepDog May 05 '17 at 04:21
  • 1
    Unfortunately the specifics depend entirely on your use case, so you'll have to just read through all of it. Unfortunately the permissions system is quite complex and can take some time to get used to. I would recommend not pursuing data bag write back as an option as it is generally a bad idea as mentioned above. – coderanger May 05 '17 at 05:06