We did some debugging about this topic. The main idea about client
and user
is absolutely to distinguish human and program. How did they do this is what we debuged.
In the db you can see that the users
can have admin
group flag, the clients
can have admin
and=or validator
flags.
The users
can use webUI (with webui client
) and can use chefAPI.
The clients
can use only chefAPI.
opscode_chef=# select username,admin from osc_users;
username | admin
----------+-------
admin | t
johnnym | t
leki | t
nemadmin | f
(4 rows)
name | admin | validator | id
---------------------------------------+-------+-----------+----------------------------------
chef-validator | f | t | 0000000000006ab38d5bb2564bd91f5b
chef-webui | t | f | 000000000000bd469d802db9a3fc3c88
statictestXXxd.xxxxx.xxxxxxxx.private | f | f | 000000000000f106e5461e64a15d0662
test-validator | f | f | 000000000000ea638b18e484e034b859
cica | f | f | 00000000000077dd4efbcd39a1fb10d3
(5 rows)
opscode_chef=# select name,environment,last_updated_by from nodes;
name | environment | last_updated_by
---------------------------------------+-------------+----------------------------------
statictestXXxd.xxxxx.xxxxxxxx.private | _default | 000000000000f106e5461e64a15d0662
cica_node | _default | 00000000000077dd4efbcd39a1fb10d3
(2 rows)
admin
members (both clients
and users
) can do all the commands
validator
members (only clients
) can do only node commands
- normal members (both
clients
and users
) can do client show and node commands only if the node is updated by the same client as this request from (see the table upper)
(00000000000077dd4efbcd39a1fb10d3)
So the client has limited command privileges, also limited scope (only last updated node). The user can have all the privileges but cannot update a node.
I found also this page which helped our research on this topic.