Server Admins Grant More Flexible Permissions Around User Management

super-admin-01The new global group, `server-admins`, was released in Chef Server 12.4.1. This group improves your ability to customize permissions that affect user management in your Chef Server.

Previously, there were only two types of users, regular and super. The `server-admins` group adds another possibility. It represents a third class of users who need permissions that are useful for the day-to-day administration of a Chef Server, but who don’t need to be superusers.

Members of the `server-admins` group have CRUD (create, read, update, delete) access on all users except the superuser. In other words, there are expanded options for managing users and the `knife user` command regains its usefulness. The members of the group are controlled through a new set of `chef-server-ctl` commands.

Let’s dive in.

### Return to Form for `knife user`

Let’s say you have a Chef server with some users:

[sourcecode]
$ chef-server-ctl user-list
pivotal # superuser
user1
user2
user3
user4
user5
[/sourcecode]

(In this example, we will use knife as `user1`.) Before we make any changes,
let’s use `knife` to try to do some basic user management (make sure you’re using a
recent version of knife and your `chef_server_url` points at your server root and not an organization):

[sourcecode]
$ knife user list -c ~/.chef/user1.rb
ERROR: You authenticated successfully as user1 but you are not authorized for this action
Response: Missing read permission
[/sourcecode]

By default, non-superusers only have permissions that pertain to themselves because users are global to orgs. In general, this division gives a nice separation of concerns but it’s not very flexible.

Right now, `user1` is just a normal user without any special permissions or modifications, but we want `user1` to be able to make changes to other users. This is where `server-admins` comes in.

Log in to the Chef Server and run:

[sourcecode]
$ chef-server-ctl grant-server-admin-permissions user1
User user1 was added to server-admins.
This user can now list, read, and create users (even for orgs they are not members of) for this Chef Server.
[/sourcecode]

Now, `user1` tries the knife command again:

[sourcecode]
$ knife user list -c ~/.chef/user1.rb
pivotal
user1
user2
user3
user4
user5
[/sourcecode]

Because `user1` is a member of `server-admins`, the `knife user` subcommand is now functional in Chef Server 12! Our `user1` can even create, edit, and delete other users via knife. For example:

[sourcecode]
$ knife user edit user2 -c ~/.chef/user1.rb
… (editor pops up)
Saved user[user2].
[/sourcecode]

Remember, though, `server-admins` don’t have access to the superuser (pivotal)
so they can’t break the Chef Server (beyond deleting some important user)!

[sourcecode]
$ knife user delete pivotal -c ~/.chef/user1.rb
ERROR: You authenticated successfully as user1 but you are not authorized for this action
Response: missing read permission
[/sourcecode]

As you can see, the new group is very useful in the day-to-day management of a Chef Server.

If we want to remove the `user1` special privileges, we simply log on to the Chef Server and run:

[sourcecode]
$ chef-server-ctl list-server-admins
pivotal
user1
$ chef-server-ctl remove-server-admin-permissions user1
User user1 was removed from server-admins.
This user can no longer list, read, and create users for this Chef Server except for where they have default permissions (such as within an org).
$ chef-server-ctl list-server-admins
pivotal
[/sourcecode]

Now, if user1 tries to use `knife user`:

[sourcecode]
$ knife user list -c ~/.chef/user1.rb
ERROR: You authenticated successfully as user1 but you are not authorized for this action
Response: missing read permission
[/sourcecode]

### Bigger Plans

Long term, we’re planning to expand the permissions to `server-admins`, so
keep that in mind as you add users to that group. So far, the only plans are
to add organization CRUD permissions but we’ll see what the future holds. This is the first step towards more flexible, powerful permissions in the Chef server!

For a more technical overview of `server-admins`, see the documentation [here](https://docs.chef.io/server_orgs.html#server-admins).

Chef Server 12.4.1 can be downloaded [here](https://downloads.chef.io/chef-server/).

Author Tyler Cloke

Tyler has been a Software Engineer at Chef for over three years. He has worked on a bit of everything and is passionate about creating high quality, usable products. During off hours, you can catch him watching or playing music around Seattle.