Document that in order to use chef_vault_secret, the client must be an admin

chef-boneyard / chef-vault

chef-vault cookbook

https://supermarket.chef.io/cookbooks/chef-vault

Apache License 2.0

61 stars 53 forks source link

Document that in order to use chef_vault_secret, the client must be an admin #46

Open hh opened 8 years ago

hh commented 8 years ago

admins is a required attribute: https://github.com/chef-cookbooks/chef-vault/blob/master/libraries/chef_vault_secret.rb#L38

However I haven't found a way to configure chef to allow clients to read user pubic keys without providing full admin access:

You can do the following to read clients:

knife acl add client 'node_for_chef_vault_secret_creation' container clients read

But the only way to get them to read users is to give the node full admin privs:

knife group add client 'node_for_chef_vault_secret_creation' group admins

We should document this, and maybe look at creating a ticket around allowing access to public keys. Github does it by default to the entire world: https://github.com/hh.keys

hh commented 8 years ago

Note that trying to add a client to the admin group via the manage.chef.io results in an error, you must do it via knife-acl / knife group add

hh commented 8 years ago

I'm going to try removing the requirement for the admin attribute.

atrull commented 8 years ago

Looking forward to this fix.

hh commented 8 years ago

I don't think it's really usable at all in current state, but I don't have the time/resources to look into this further atm.

atrull commented 8 years ago

Agreed :( I am hoping chef will find a real fix for this since I think the RBAC / databags implementation is mutually exclusive to the implementation of chef-vault (cookbook and gem).

hh commented 8 years ago

search(:node, search_string) do |n|
  # my work around using chef_data_bag which encrypts using the shared key
  # but I'd like to replace with the chef_vault_secret
  chef_data_bag_item "secrets/for_#{n.name}" do
    complete true
    encrypt true
    encryption_version 3
    secret_path '/etc/chef/encrypted_data_bag_secret'
    raw_data lazy {
        {'secret' => open("/tmp/dynamic_data_from_chefrun_for_#{n.name}").read }
      }
  end

  chef_vault_secret "secrets/for_#{n.name}" do
    search "name:#{n.name} or name:#{node.name}" # the target node AND this node need to be encrypt
    # clients [n.name, node.name]
    data_bag node['secrets_databag']
    raw_data(
      lazy {
        {'secret' => open("/tmp/dynamic_data_from_chefrun_for_#{n.name}").read }
      }
    )
    # admins  doesn't seem to work on hosted chef as the node/client running the recipe
    # can't "read/get" the users... the client must  be an admin.
    # knife group add client the_node_running_this admins (doesn't work via knife-acl)
   # updating the web-gui works but we still fail to encrypt to any nodes 
    admins 'hippiehacker'
  end
end