Skip to content
Runbooks

Managing Chef User Accounts

Add a user to the Chef server

Section titled “Add a user to the Chef server”

To add a user you will need SSH and root access to the Chef server.

The steps to create a new Chef user are:

  1. SSH into the Chef server

    Terminal window
    ssh cinc-01-inf-ops.c.gitlab-ops.internal

  2. Create the user:

    Terminal window
    sudo -i chef-server-ctl user-create USERNAME FIRSTNAME SURNAME GITLAB_EMAIL $(openssl rand -hex 20)
    • where all-caps words should be replace with the real user information
    • see NOTE below if surname contains white-spaces

  3. copy the private key generated by Chef for this user, which needs to be shared with the user

  4. add the user to gitlab organization

    Terminal window
    sudo -i chef-server-ctl org-user-add gitlab USERNAME

    NOTE* If you’re adding a user with spaces in it, the chef-server-ctl user-create wrapper has a parsing bug. You can work around it like this:

    Terminal window
    sudo /opt/opscode/embedded/bin/knife opc user create username\
    Firstname 'Surname With Spaces' gitlab_email $(openssl rand -hex 20)\
    -c /etc/opscode/pivotal.rb

Grant Chef admin rights to a user

Section titled “Grant Chef admin rights to a user”

For a user that was already created and added to the Chef server, another Chef admin can complete this task locally on their machine:

  • Add the user to the admin group::

    Terminal window
    knife group add user USERNAME admins

  • Check that the user is in the admin group:

    Terminal window
    knife group show admins

Rotate Chef key

Section titled “Rotate Chef key”

To do this it will be necessary to create a new keypair. Because of how Chef behaves the key has to be called default.

  • SSH into the Chef server

  • Remove the default key:

    Terminal window
    sudo -i chef-server-ctl delete-user-key _username_ default

  • Create a new default key:

    Terminal window
    sudo -i chef-server-ctl add-user-key _username_ --key-name default

  • copy the private key generated by Chef for this user.

If default is not declared Chef will use the fingerprint of the key as a name. This will end up breaking Chef execution as it will not be able of finding this key. To check if the user is correctly setup after the key rotation run this command:

Terminal window
$ bundle exec knife user show _username_
display_name: NAME
email:        gitlab email
first_name:   _Firstname_
last_name:    _Surname_
middle_name:
public_key:   -----BEGIN PUBLIC KEY-----
XXXX
-----END PUBLIC KEY-----


username:     _username_

if the public_key field is missing it means that the key will not be found by Chef.

Remove a Chef key from the server

Section titled “Remove a Chef key from the server”

To remove a Chef key, run:

Terminal window
chef-server-ctl delete-user-key USERNAME default

Create a staging user

Section titled “Create a staging user”

For this example we’ll use the username “keysersoze”.

  • create a data bag in data_bags/users called keysersoze.json by copying an existing one. Make sure gitlab-staging is in the roles.

  • add the user databag:

    Terminal window
    knife data bag from file users keysersoze.json

    The lack of path before the JSON file is intended. If the command is successful it will output a message like this: Updated data_bag_item[users::keysersoze]

  • create the user on staging:

    Terminal window
    knife ssh -aipaddress 'roles:gitlab-staging-base' 'sudo chef-client'