Chef-(server): What is the difference between client and user

Question

I have installed open-source chef-server (11.x). I am a newbie with chef. I can see that there are users with passwords and pub/priv keys (usually the knife users (@workstations)). There are also clients (chef-validator, nodes...) with pub/priv keys.

When I do knife configuration --initial it uses admin username and priv key to crate new workstation user for example johnnym. So admin user with key is powerful enough to create user,node,client,...etc.

But when I knife bootstrap ${FQDN} it requires a client with admin privileges (chef-validator) to be able to authn/authz to the chef-server and register new node/client.

My question is: Why do we separate client and user if they can accomplish the same tasks?

Answer 1

In the context of OSS Chef as is your case, a user also works as a client, with the added ability to use the Web UI via username/password combination.

What you're missing is the validator client key.

The validator is a special client that has one purpose only: to allow nodes to register themselves as clients on the Chef server. It's used from inside the node on the first Chef run. Once the node is registered, it's good practice to delete the validator key from the node.

When you run knife bootstrap it copies the key from your workstation to the node via SSH prior to running chef-client. The problem you're facing is probably either because you don't have the validator key on the workstation, or because knife is unable to find it (check your knife.rb file to see where it expects to find the key).

Answer 2

We did some debugging about this topic. The main idea about client and user is absolutely to distinguish human and program. How did they do this is what we debuged.
In the db you can see that the users can have admin group flag, the clients can have admin and=or validator flags.
The users can use webUI (with webui client) and can use chefAPI.
The clients can use only chefAPI.

opscode_chef=# select username,admin from osc_users;
 username | admin 
----------+-------
 admin    | t
 johnnym  | t
 leki     | t
 nemadmin | f
(4 rows)
                     name                  | admin | validator |                id                
---------------------------------------+-------+-----------+----------------------------------
 chef-validator                        | f     | t         | 0000000000006ab38d5bb2564bd91f5b
 chef-webui                            | t     | f         | 000000000000bd469d802db9a3fc3c88
 statictestXXxd.xxxxx.xxxxxxxx.private | f     | f         | 000000000000f106e5461e64a15d0662
 test-validator                        | f     | f         | 000000000000ea638b18e484e034b859
 cica                                  | f     | f         | 00000000000077dd4efbcd39a1fb10d3
(5 rows)

opscode_chef=# select name,environment,last_updated_by from nodes;
                 name                  | environment |         last_updated_by          
---------------------------------------+-------------+----------------------------------
 statictestXXxd.xxxxx.xxxxxxxx.private | _default    | 000000000000f106e5461e64a15d0662
 cica_node                             | _default    | 00000000000077dd4efbcd39a1fb10d3
(2 rows)

1. admin members (both clients and users) can do all the commands
2. validator members (only clients) can do only node commands
3. normal members (both clients and users) can do client show and node commands only if the node is updated by the same client as this request from (see the table upper) (00000000000077dd4efbcd39a1fb10d3)

So the client has limited command privileges, also limited scope (only last updated node). The user can have all the privileges but cannot update a node.

I found also this page which helped our research on this topic.