Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document that in order to use chef_vault_secret, the client must be an admin #46

Open
hh opened this issue Jan 4, 2016 · 6 comments
Open

Document that in order to use chef_vault_secret, the client must be an admin #46

hh opened this issue Jan 4, 2016 · 6 comments
Labels
Type: Chore non-critical maintenance of a project.

Comments

@hh
Copy link

hh commented Jan 4, 2016

admins is a required attribute:
https://github.com/chef-cookbooks/chef-vault/blob/master/libraries/chef_vault_secret.rb#L38

However I haven't found a way to configure chef to allow clients to read user pubic keys without providing full admin access:

You can do the following to read clients:

knife acl add client 'node_for_chef_vault_secret_creation' container clients read

But the only way to get them to read users is to give the node full admin privs:

knife group add client 'node_for_chef_vault_secret_creation' group admins

We should document this, and maybe look at creating a ticket around allowing access to public keys. Github does it by default to the entire world: https://github.com/hh.keys
@hh
Copy link
Author

hh commented Jan 4, 2016

Note that trying to add a client to the admin group via the manage.chef.io results in an error, you must do it via knife-acl / knife group add

@hh
Copy link
Author

hh commented Jan 4, 2016

I'm going to try removing the requirement for the admin attribute.

@atrull
Copy link

atrull commented Jan 18, 2016

Looking forward to this fix.

@hh
Copy link
Author

hh commented Jan 19, 2016

I don't think it's really usable at all in current state, but I don't have the time/resources to look into this further atm.

@atrull
Copy link

atrull commented Jan 19, 2016

Agreed :( I am hoping chef will find a real fix for this since I think the RBAC / databags implementation is mutually exclusive to the implementation of chef-vault (cookbook and gem).

@hh
Copy link
Author

hh commented Jan 19, 2016 

search(:node, search_string) do |n|
  # my work around using chef_data_bag which encrypts using the shared key
  # but I'd like to replace with the chef_vault_secret
  chef_data_bag_item "secrets/for_#{n.name}" do
    complete true
    encrypt true
    encryption_version 3
    secret_path '/etc/chef/encrypted_data_bag_secret'
    raw_data lazy {
        {'secret' => open("/tmp/dynamic_data_from_chefrun_for_#{n.name}").read }
      }
  end

  chef_vault_secret "secrets/for_#{n.name}" do
    search "name:#{n.name} or name:#{node.name}" # the target node AND this node need to be encrypt
    # clients [n.name, node.name]
    data_bag node['secrets_databag']
    raw_data(
      lazy {
        {'secret' => open("/tmp/dynamic_data_from_chefrun_for_#{n.name}").read }
      }
    )
    # admins  doesn't seem to work on hosted chef as the node/client running the recipe
    # can't "read/get" the users... the client must  be an admin.
    # knife group add client the_node_running_this admins (doesn't work via knife-acl)
   # updating the web-gui works but we still fail to encrypt to any nodes 
    admins 'hippiehacker'
  end
end

@tas50 tas50 added Type: Chore non-critical maintenance of a project. and removed Type: Maintenance labels Jan 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Chore non-critical maintenance of a project.
Milestone
No milestone
Development

No branches or pull requests
5 participants
@thommay @hh @cheeseplus @tas50 @atrull