chef
Validatorless bootstrap is broken for non-admin users
Non-admin users by default do not have permission to create clients which means they cannot perform a validatorless bootstrap of a node.
My suggested workaround is to give the "users" group the "create" permission on the "clients" container. To be consistent with the permissions that the "users" group has on other containers I'm also suggesting that the "users" group be given the "update" permission on the "clients" container.
Does anyone have objections with this workaround?
What do we do for a permanent fix? Do we fix the code that generates new orgs and do we also migrate existing orgs permissions accordingly?
After some discussion it seems like this may not be an actual bug. For safety reasons non-admin users should not have the ability to bootstrap nodes by default.
The desired result can be achieved using the permission system. Create a group named "bootstrap". Add that group to the "create" permission of the "clients" container. Then add appropriate users to the bootstrap group.
Actually, @marcparadise i'm not sure if you were asking about a default bootstrap group or if you were referring to the original issue description.
A default bootstrap group would be wonderful. We use Chef for workstation administration, and it would be nice to give some of our techs the ability to bootstrap new nodes when we get new laptops, but not give them other write permissions. I notice we haven't had an updates on this recently, but I'd like to bring this back up as something that is important. I'm not the only one (I found this issue through a link from https://discourse.chef.io/t/create-new-group-with-ability-to-boostrap-and-read-only-in-chef-server/9781)
