Reputation: 4531
Permissions to create clients on chef-server
On chef-server I have a group provisioners for users who should have permissions to bootstrap and provision nodes so called validator-less.
While bootstrapping a machine, knife tries to create new client and node on chef server. Problem is with ACL for that group. In Global Permissions section I can find container and grant create permission only for nodes but not for clients. That's why knife bootstrap fails with:
Creating new client for node-01
ERROR: You authenticated successfully to https://chef-server:443/organizations/test as mlanin but you are not authorized for this action
Response: missing create permission
How can I grant create permissions for clients?
Upvotes: 2
Views: 5450
Answers (2)
Reputation: 1085
The knife-acl gem is the right answer. Specific to the OP's question, granting the ability to create clients as a member of the "provisioners" group.
knife acl add group provisioners containers clients create
I found I needed to do this for the "users" group on a brand new installation of chef-server. It doesn't seem like the out-of-box permissions really take validator-less into account.
Upvotes: 5
Reputation: 54211
You'll need to edit the ACLs directly via either the knife-acl plugin or knife edit .../_acl.json. The UI hides some permissions stuff to avoid being over-complicated.
Refer to: https://github.com/chef/knife-acl
Upvotes: 5
Related Questions
- Chef Infra Server does not have a login?
- knife client list failed to authenticate to {server_url} as chef-user with key {key}
- Chef DK instead of Chef Client
- Run the chef-client as non root user
- Chef knife create failing to create an API user
- Chef-(server): What is the difference between client and user
- chef-client failed to register to chef-server
- Not able to execute knife client list
- Setup ACL on Ubuntu 12.04 with Chef
- Preventing Chef client from accessing all data on server