Release Notes: Chef Server 12.4

Chef is a systems and cloud infrastructure automation framework that makes it easy to deploy servers and applications to any physical, virtual, or cloud location, no matter the size of the infrastructure. Each organization is comprised of one (or more) workstations, a single server, and every node that will be configured and maintained by the chef-client. Cookbooks (and recipes) are used to tell the chef-client how each node in your organization should be configured. The chef-client (which is installed on every node) does the actual configuration.

What’s New

The following items are new for Chef server 12.4:

  • /universe endpoint Use the /universe endpoint to retrieve the known collection of cookbooks, and then use it with Berkshelf and Chef Supermarket.
  • opscode-expander-reindexer service The opscode-expander-reindexer service is deprecated.
  • Global server administrator list Use the grant-server-admin-permissions, remove-server-admin-permissions, and list-server-admins to manage the list of users who belong to the server-admins group.

/universe

Use the /universe endpoint to retrieve the known collection of cookbooks, and then use it with Berkshelf and Chef Supermarket.

The /universe endpoint has the following methods: GET.

GET

The GET method is used to retrieve the universe data.

This method has no parameters.

Request

GET /universe

Response

The response will return an embedded hash, with the name of each cookbook as a top-level key. Each cookbook will list each version, along with its location information and dependencies:

{
  "ffmpeg": {
    "0.1.0": {
      "location_path": "http://supermarket.chef.io/api/v1/cookbooks/ffmpeg/0.1.0/download"
      "location_type": "supermarket",
      "dependencies": {
        "git": ">= 0.0.0",
        "build-essential": ">= 0.0.0",
        "libvpx": "~> 0.1.1",
        "x264": "~> 0.1.1"
      },
    },
    "0.1.1": {
      "location_path": "http://supermarket.chef.io/api/v1/cookbooks/ffmpeg/0.1.1/download"
      "location_type": "supermarket",
      "dependencies": {
        "git": ">= 0.0.0",
        "build-essential": ">= 0.0.0",
        "libvpx": "~> 0.1.1",
        "x264": "~> 0.1.1"
      },
    },
   "pssh": {
    "0.1.0": {
      "location_path": "http://supermarket.chef.io/api/v1/cookbooks/pssh.1.0/download"
      "location_type": "supermarket",
      "dependencies": {},
    }
  }
}
Response Code Description
200 OK. The request was successful. One (or more) cookbooks and associated cookbook version information was returned.

Server Admins

The server-admins group is a global group that grants its members permission to create, read, update, and delete user accounts, with the exception of superuser accounts. The server-admins group is useful for users who are responsible for day-to-day administration of the Chef server, especially user management via the knife user subcommand. Before members can be added to the server-admins group, they must already have a user account on the Chef server.

Scenario

The following user accounts exist on the Chef server: pivotal (a superuser account), alice, bob, carol, and dan. Run the following command to view a list of users on the Chef server:

$ chef-server-ctl user-list

and it returns the same list of users:

pivotal
alice
bob
carol
dan

Alice is a member of the IT team whose responsibilities include day-to-day administration of the Chef server, in particular managing the user accounts on the Chef server that are used by the rest of the organization. From a workstation, Alice runs the following command:

$ knife user list -c ~/.chef/alice.rb

and it returns the following error:

ERROR: You authenticated successfully to <chef_server_url> as alice
       but you are not authorized for this action
Response: Missing read permission

Alice is not a superuser and does not have permissions on other users because user accounts are global to organizations in the Chef server. Let’s add Alice to the server-admins group:

$ chef-server-ctl grant-server-admin-permissions alice

and it returns the following response:

User alice was added to server-admins.

Alice can now create, read, update, and delete user accounts on the Chef server, even for organizations to which Alice is not a member. From a workstation, Alice re-runs the following command:

$ knife user list -c ~/.chef/alice.rb

which now returns:

pivotal
alice
bob
carol
dan

Alice is now a server administrator and can use the following knife subcommands to manage users on the Chef server:

  • knife user-create
  • knife user-delete
  • knife user-edit
  • knife user-list
  • knife user-show

For example, Alice runs the following command:

$ knife user edit carol -c ~/.chef/alice.rb

and the $EDITOR opens in which Alice makes changes, and then saves them.

Superuser Accounts

Superuser accounts may not be managed by users who belong to the server-admins group. For example, Alice attempts to delete the pivotal superuser account:

$ knife user delete pivotal -c ~/.chef/alice.rb

and the following error is returned:

ERROR: You authenticated successfully to <chef_server_url> as user1
       but you are not authorized for this action
Response: Missing read permission

Alice’s action is unauthorized even with membership in the server-admins group.

Manage server-admins Group

Membership of the server-admins group is managed with a set of chef-server-ctl subcommands:

  • chef-server-ctl grant-server-admin-permissions
  • chef-server-ctl list-server-admins
  • chef-server-ctl remove-server-admin-permissions

Add Members

The grant-server-admin-permissions subcommand is used to add a user to the server-admins group. Run the command once per user added.

This subcommand has the following syntax:

$ chef-server-ctl grant-server-admin-permissions USER_NAME

where USER_NAME is the user to add to the list of server administrators.

For example:

$ chef-server-ctl grant-server-admin-permissions bob

returns:

User bob was added to server-admins. This user can now list,
read, and create users (even for orgs they are not members of)
for this Chef Server.

Remove Members

The remove-server-admin-permissions subcommand is used to remove a user from the server-admins group. Run the command once per user removed.

This subcommand has the following syntax:

$ chef-server-ctl remove-server-admin-permissions USER_NAME

where USER_NAME is the user to remove from the list of server administrators.

For example:

$ chef-server-ctl remove-server-admin-permissions bob

returns:

User bob was removed from server-admins. This user can no longer
list, read, and create users for this Chef Server except for where
they have default permissions (such as within an org).

List Membership

The list-server-admins subcommand is used to return a list of users who are members of the server-admins group.

This subcommand has the following syntax:

$ chef-server-ctl list-server-admins

and will return a list of users similar to:

pivotal
alice
bob
carol
dan

What’s Fixed

For the list of issues that were addressed for this release, please see the changelog on GitHub: https://github.com/chef/chef-server/blob/master/CHANGELOG.md