'knife acl add' fails with 'Invalid/missing actor in request body'

[mstyne]

Hello knife-acl folks...

We recently upgraded from open source Chef Server 11 to 12. After this upgrade, we've found that none of our nodes have CRUDG entries for themselves (or specifically, their client entries), meaning they can't update their own node data and encounter nasty 403 Forbidden errors during chef-client runs.

Our remedy for this, up until now, has been to:

• Save the node's current JSON data
• Delete the node and the client (knife node delete ...) entries from the Chef server
• Bootstrap the node
• Edit the node's data and paste the old JSON in

This approach works, but will be pretty tedious for several hundred nodes.

I was hoping, instead of this, we could iterate over our list of nodes and simply do:

knife acl add nodes some.node.com update client some.node.com

But this leads to an error:

INFO: Using configuration from /Users/mstyne/.chef/knife.rb
INFO: HTTP Request Returned 400 Bad Request: Invalid/missing actor in request body
ERROR: The data in your request was invalid
Response: Invalid/missing actor in request body

Initially I thought this was due to a client entry missing from the Chef Server, but this error is encountered even when the client exists. Full disclosure: We did /not/ perform an in-place upgrade of Chef Server, and instead followed these migration instructions.

Help?

Thanks, Mike

[joerg]

I am having the same problem, but we did not upgrade the chef server (still version 1.6.2), while my chefdk is 0.4.0. I guess this is an error in the chef client... As for the "knife acl..." I have no idea.

[stevendanna]

@joerg Can you confirm what your chef-server version is? 1.6.2 isn't a server version as far as I know.

[joerg]

@stevendanna: Sorry, chef server is version 12.0.1. Also, I found that my client was not there and thats why I got that error. With the client created everything works. Sorry... Anyway, since chef for some reason does not create the correct ACLs for nodes when creating them via "knife node create ..." this ACL tool is the only way to go.

[mstyne]

@joerg That's my finding as well; the only way to get the ACLs configured properly is to knife bootstrap the host and let the bootstrap process handle the creation of node and client objects.

[jeremiahsnapp]

Hello @mstyne and @joerg . Sorry for my late reply.

The problem you describe comes from the fact that by default, for security reasons, clients only have permission to read node objects. The only client that has permission to change a node's data is the client that created the node object in the first place. That's why it is best to let the client create the node object during the first chef-client run which is typically during the bootstrap process.

Side note: Now there is a new validatorless bootstrap method available which automatically creates both the client and node objects during the bootstrap process before chef-client even runs.

When you migrate data objects from one Chef Server to another the permissions of those objects are not migrated so they need to be fixed. There is a simple knife exec script that you can use to fix those permissions.

You can also use the latest version of knife-acl plugin, currently 1.0.0.beta, to fix these permissions but you would need to run a separate knife-acl command for each node so the script should be an easier solution.

[mstyne]

Hi @jeremiahsnapp! Thanks for your reply to this issue.

Unfortunately, the knife exec script you pointed out fails in the exact same way for me:

$ knife -v
Chef: 12.3.0
$ knife exec chef_server_permissions.rb 
ERROR: The data in your request was invalid
Response: Invalid/missing actor in request body

Chef Server is 12.0.5. Any further thoughts on this item?

[jeremiahsnapp]

Hi @mstyne , I'm not having that problem so I think we should dig into this to see what's going on. Would you mind creating a support ticket by either emailing support@chef.io or browsing to https://www.chef.io/support/tickets/ ?

Please run the following and attach the chef-server-permission.txt file to the email or ticket.

knife exec chef_server_permissions.rb -VV > chef-server-permission.txt

You can ask that the ticket be assigned to me if I don't happen to see it come in.

Thanks!

[mstyne]

@jeremiahsnapp en route!

Thanks, Mike

[mstyne]

:pizza: & :beers: to @jeremiahsnapp for some out of band support.

In our case, the issue was related to having both a user and a client with the same name. Since we didn't need the client entry, we deleted it, and this allowed chef_server_permissions.rb to run properly.

It's also worth noting that running the knife exec task with additional verbosity as described above will likely out the client/node/user that's causing trouble.