Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Skip 403 Forbidden exception when getting node acl #519

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Skip 403 Forbidden exception when getting node acl #519

wants to merge 1 commit into from

Conversation

poliva83
Copy link
Contributor

Allows possibility that 2nd machine convergence could be done by a user that does not have grant permission on node object.

@poliva83
Copy link
Contributor Author

I was asked to confirm (on chef-success slack) that line 174 would still raise errors if it hit exception that wasn't 403. Unfortunately no test specs for chef-provisioning core gem right now (as I'd add a test here if there was a base of tests). I was however able to trigger a 404 error (using pry) on line 174 and the exception still raised.

================================================================================
    Error executing action `converge` on resource 'machine[poliva-bescloud-admin.poliva.dev.altus.bblabs]'
    ================================================================================

    Net::HTTPServerException
    ------------------------
    404 "Object Not Found"

    Resource Declaration:
    ---------------------
    # In /home/poliva/.chef/cache/cookbooks/bb_bescloud_admin/recipes/provision.rb

     92: machine admin_fqdn do
     93:   add_machine_options :bootstrap_options => {
     94:                         :template => node.run_state['admin_machine_template'],
     95:                         :enforce_chef_fqdn => true,
     96:                         :unique_names => true
     97:                       },
     98:                       :convergence_options => {
     99:                          # uncomment if/when https://github.com/chef/chef-provisioning/pull/519 is in chef-provisioning core gem
    100:                          :skip_node_acl_forbidden_excp => true,
    101:                          :client_rb_path => '/etc/chef/chef-provisioning/client.rb'
    102:                       }
    103:   chef_environment "#{admin_environment}"
    104:   run_list [ 'recipe[bb_bescloud_admin]',
    105:              'role[bb_bescloud_admin_common]' ]
    106:   files ( upload_files )
    107:   chef_config extra_config.join("\n") unless extra_config.empty?
    108:   attribute %w[bb_bescloud_admin admin_files base_src_url], node.run_state['base_src_url']
    109:   converge true
    110:   action :converge
    111: end
    112:

    Compiled Resource:
    ------------------
    # Declared in /home/poliva/.chef/cache/cookbooks/bb_bescloud_admin/recipes/provision.rb:92:in `from_file'

    machine("poliva-bescloud-admin.poliva.dev.altus.bblabs") do
      action [:converge]
      retries 0
      retry_delay 2
      default_guard_interpreter :default
      chef_server {:chef_server_url=>"https://front12.chef.thor.altus.bblabs.rim.net/organizations/mandolin", :options=>{:client_name=>"admin-mandolin", :signing_key_filename=>"/home/poliva/.chef/admin-mandolin.pem", :api_version=>"0"}}
      chef_environment "admin-poliva-Mandolin-thor"
      driver "opennebula:http://api.thor.altus.rim.net/api:Mandolin"
      machine_options #<Cheffish::MergedConfig:0x00000005c1fbd8 @configs=[{:bootstrap_options=>{:template=>{"HTTPBASE"=>"http://thor-cli.thor.altus.bblabs.rim.net/~chef", "MEMORY"=>"4048", "CPU"=>"0.4", "VCPU"=>"4", "OS"=>{"ARCH"=>"x86_64"}, "DISK"=>[{"IMAGE"=>"poliva-bescloud-admin", "IMAGE_UNAME"=>"Mandolin", "DRIVER"=>"qcow2"}, {"IMAGE"=>"poliva-bescloud-admin-extra-disk", "IMAGE_UNAME"=>"Mandolin"}], "NIC"=>{"NETWORK"=>"poliva-bescloud-admin", "NETWORK_UNAME"=>"Mandolin"}, "GRAPHICS"=>{"LISTEN"=>"0.0.0.0", "TYPE"=>"vnc"}, "CONTEXT"=>{"USER_DATA"=>"#cloud-config\n---\nmanage_etc_hosts: true\nfqdn: poliva-bescloud-admin.poliva.dev.altus.bblabs\nmanage-resolv-conf: true\nresolv_conf:\n  nameservers:\n  - 193.109.81.161\n  - 193.109.81.162\n  - 193.109.81.163\n  searchdomains:\n  - poliva.dev.altus.bblabs\n  domain: poliva.dev.altus.bblabs\nusers:\n- name: local\n  groups: admin\n  shell: \"/bin/bash\"\n  ssh-authorized-keys:\n  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDrGctis074q6x/o46k7RhSzz6qh/lM/ls6M7S/3HkjAjikP8XB3ZnMSL24SbMAc3xpBe0U4Gw1O8GVrxiyWhx7khUJ1P5BBolHIq/o1GdRwem5rTgNI3ztUC5NsKeg+CV8+EcEk0TUiSCfSp9gMJV9YPd006g2cfJUCbqZMkrqSpuYTApwO0Z3QDOB9RsLAzIrhdtHPCORwKCU48h2ZDT+xqgBIa6cKzaaKPSw0HgkbHNu0XEp4d7JcwAOQpVTdB2t2o0rQ+ZwsQci0mJ+YTKumFwY/Nj6bE23CFeNQRX/tCBEmP+b07oqd8Tw/kii9+bl9/wZjHIcSUdE+ar1MGtl\n    root@chef-ws-poliva-003\n  sudo:\n  - ALL=(ALL) NOPASSWD:ALL\nchef:\n  install_type: packages\n  force_install: false\n  server_url: https://front12.chef.thor.altus.bblabs.rim.net/organizations/mandolin\n  node_name: poliva-bescloud-admin.poliva.dev.altus.bblabs\n  environment: admin-poliva-Mandolin-thor\n  validation_name: mandolin-validator\n  validation_key: \"$USER[CHEF12_ORG_VALIDATOR_KEY]\"\n  run_list:\n  - recipe[bb_bescloud_admin]\n  - role[bb_bescloud_admin_common]\n  initial_attributes:\n    bb_bescloud_admin:\n      admin_files:\n        base_src_url: http://thor-cli.thor.altus.bblabs.rim.net/~Mandolin/bescloud_files/\n  exec: true\n  omnibus_url: https://www.opscode.com/chef/install.sh\n  exec_arguments:\n  - \"-d\"\n  - '120'\n  - \"-i\"\n  - '1800'\n  - \"-s\"\n  - '20'\n  output:\n    all: \"| tee -a /var/log/chef/chef.log\"\n", "CHEF_SERVER_URL"=>"https://front12.chef.thor.altus.bblabs.rim.net/organizations/mandolin", "CHEF_PRIVATE_KEY"=>"$USER[CHEF12_ORG_VALIDATOR_KEY]", "NETWORK"=>"YES", "HOSTNAME"=>"$NAME"}}, :enforce_chef_fqdn=>true, :unique_names=>true}, :convergence_options=>{:skip_node_acl_forbidden_excp=>true, :client_rb_path=>"/etc/chef/chef-provisioning/client.rb"}}, {:cached_installer=>true, :ssh_username=>"local"}], @merge_arrays={}>
      declared_type :machine
      cookbook_name "bb_bescloud_admin"
      recipe_name "provision"
      run_list ["recipe[bb_bescloud_admin]", "role[bb_bescloud_admin_common]"]
      chef_config "log_level\t:info\nlog_location\t\"/var/log/chef/chef-provisioning-client.log\"\ntrusted_certs_dir\t\"/etc/chef/trusted_certs/\""
      attribute_modifiers [[["bb_bescloud_admin", "admin_files", "base_src_url"], "http://thor-cli.thor.altus.bblabs.rim.net/~Mandolin/bescloud_files/"]]
      converge true
    end

Chef Client failed. 4 resources updated in 04 minutes 18 seconds

@tyler-ball
Copy link
Contributor

I'm not sure why we need to fix the acls on enterprise/hosted chef in the first place. Is this because the default or global permissions are set to restrict read and update?

Having said that, I'm averse to having a config flag for ignoring a 403. What about instead moving the flag to line 164 and not attempting to change permissions at all? My thought then is that when the node is initially created it can be done by a client with permissions. Then further resource invocations performed by a a restricted client with that config flag set. What do you think about that?

@tas50 tas50 removed the Signed CLA label Jul 31, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

4 participants