changing admin: true with knife client edit is not applied

[jojoger]

If I run knife client edit and set the admin flag from false to true and save it, the setting is not applied.

Expected Behavior

When the admin flag for a client is changed, the client should have admin privileges and knife client show should show admin:true

Current Behavior

knife client show shows still admin:false

Steps to Reproduce (for bugs)

1. knife client edit -e "sed -i 's/"admin":\s*false/"admin": true/'"
2. knife client show
   admin is still false

[rymurph20]

I'm seeing the exact same behavior. Any ideas on this?

[rgaret]

I'm experiencing the same problem. I've tried with several text editors (vi, vim, nano).
I'm running chef-server 13.0.17 and chef-client 15.2.20.
This problem seems specific to the "admin" flag since I can change without any problem the "validator" flag.

[markan]

Only the V0 api accepts and updates the admin field and this feature was removed in the V1 api. IIRC this was part of the validatorless client work. E.g. Chef Server 12.10 according to https://github.com/chef/chef-server/blob/master/CHANGELOG.md#1210-2015-06-19.

See: https://docs.chef.io/api_chef_server.html#id26 (/clients/NAME/PUT if the links change)

I don't have a good doc on hand to describe the general context of this change.

Can you describe your use case? Is this an older chef-server install that's been upgraded?

Internal note: the code for this is here: https://github.com/chef/chef-server/blob/master/src/oc_erchef/apps/chef_objects/src/chef_client.erl#L89

[rgaret]

Thanks for your explanation markan,
My company is using Chef-server 11 and we're currently thinking of upgrading to Chef-server 13. So far I'm testing it on a virtual machine (Ubuntu 18), so it's a fresh install.

We use Chef to deploy LXC containers on our physical servers so the clients associated to the severs must be allowed to create the new container Chef client. On our infrastructure I just set the server client admin tag to true and it does the job.

I think I've understood how authorizations are managed on recent versions of Chef. To give authorizations on a specific client you need to modify the client acl knife edit /acls/clients/myclient.json. There you can choose which actors and groups can create, read, update, delete and grant.

To change the global authorizations I need to use a special groups of acls called containers. In my case I want to grant to myclient the right to create clients, I need to do knife edit /acls/containers/clients.json and put myclient in the actor field associated to the create right:

knife edit /acls/containers/clients.json
{
  "create": {
    "actors": [
      "pivotal",
      "myclient"
    ],
    "groups": [
      "admins"
    ]
  },
...
}

And if I want to give all clients the right to create other clients, I can just write "clients" in the groups list.

And changes made on container acls won't override already existing objects acls. So even if I grant to myclient the right to delete clients, I won't apply to already existing container: I'll need to modify manually their acls.