Comments (6)
tl;dr: the client key you're using in your knife config HAS to be listed as a client (matched with the -S search parameter) OR an admin to be able to modify the data bag item. You can create a vault item and then not be able to modify or even view it if you aren't listed as a client or admin for that vault item. That is how this tool functions and is designed.
More information is below.
I can assure you that the admins parameter is NOT required.
I just tested the scenario you're describing.
void is my workstation with knife client 'eklein'
client1 is another workstation with knife client 'client1'
void$ knife vault create eklein foo '{ "foo": "bar" }' -S 'name:client1'
When logged into the host that corresponds to client1, I ran:
client1$ knife vault show eklein foo -p all -Fj
{
"id": "foo",
"foo": "bar",
"search_query": "name:client1",
"admins": [
],
"clients": [
"client1"
]
}
I then edited the databag and changed bar to bar1 via:
client1$ knife vault edit eklein foo
It succeeded, giving this data output:
client1$ knife vault show eklein foo -p all -Fj
{
"id": "foo",
"foo": "bar1",
"search_query": "name:client1",
"admins": [
],
"clients": [
"client1"
]
}
I can also run knife vault update:
client1$ knife vault update eklein foo '{ "bar": "foo" }'
client1$ knife vault show eklein foo -p all -Fj
{
"id": "foo",
"foo": "bar1",
"bar": "foo",
"search_query": "name:client1",
"admins": [
],
"clients": [
"client1"
]
}
Please note admins is empty.
If I try to view this data as my own username (or anyone else who isn't listed as a client or admin), it fails like this:
void$ knife vault show eklein foo -Fj
ERROR: ChefVault::Exceptions::SecretDecryption: eklein/foo is not encrypted with your public key. Contact an administrator of the vault item to encrypt for you!
from chef-vault.
This error is due to the fact that the key you're using isn't authorized as a client or an admin to access this chef-vault databag. Doesn't necessarily indicate that you need to specify an admin.
from chef-vault.
I totally understand!
Reason I raised this issue is that I want --ADMINS to mandatory param so that "knife vault create" throws an error if you don't provide --ADMINS
Sent from my iPhone
On 30 Jan 2014, at 10:54, Eli Klein [email protected] wrote:
This error is due to the fact that the key you're using isn't authorized as a client or an admin to access this chef-vault databag.
—
Reply to this email directly or view it on GitHub.
from chef-vault.
Thanks mate for explanation. I got it now.
The missing link was that I thought I needed to add the 'client' as --ADMINS value in addition to -S option to be able to manage it from client. Now I got it that if you don't have --ADMINS you can still manage it from client as long as client is provided as -S option.
from chef-vault.
Awesome, very happy to have helped!
from chef-vault.
I added a comment to #84
The command line for admin shouldn't be mandatory, it should just happen behind the scenes.
Your example is correct and it's still possible to get access, but I think it's not the expected thing.
It would be nice to lower the barrier of entry for this and just ensure the person who created the vault automatically has access to it.
from chef-vault.
Related Issues (20)
- Different vault variable output HOT 1
- Handling race conditions when bootstrapping multiple nodes HOT 1
- rotate keys with --clean-unknown-clients also cleans known clients HOT 2
- Feature Request: Allow knife vault commands to be executed on .json files
- knife vault : Problem escaping string in JSON HOT 3
- cucumber tests are failing on windows
- Syntax errors in vault_admins.rb HOT 1
- Does the latest version of the gem support autoscaling ?
- Impossible to store SSL/SSH private Key in vault HOT 9
- chef-vault command not returning any results HOT 3
- Can't create chef vault items in solo mode HOT 1
- Gemspec gives incorrect Ruby version being supported with "rescue in blocks" syntax being used HOT 2
- Faulty regex and usage of to_s triggers unwanted warning HOT 2
- "Item itemname_keys not found in data bag databagname", while I try to create a new vault with newer versions of Chef Workstation HOT 8
- knife vault doesn't support ssh_agent_signing HOT 3
- ERROR: ChefVault::Exceptions::SecretDecryption: is encrypted for you, but your private key failed to decrypt the contents. (if you regenerated your client key, have an administrator of the vault run 'knife vault refresh') HOT 3
- RSA paddings
- add support for client_key_contents HOT 1
- Do chef vault have any c# library to read the secret data
- No longer able to refresh when search_query is empty
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from chef-vault.