Hey, guys I have installed open source scalr, but I encountered a problem about chef-validator when adding chef server from scalr UI. The versions are: Scalr master branch(git clone at 20130904), ubuntu12.04, php5.5, open source chef-server 11.03
The problem is: In page of "create new chef server", when saving, there will be a error message: Request to chef server failed with error: You are not allowed to take this action. (GET /clients) >From scalr wiki(http://wiki.scalr.com/display/docs/Chef), I found that: "In case of hosted Chef server, you need to make sure "scalr-validator" is a member of admin group." But unluckily if using open source chef server, that will be a problem. Open source chef server has no this kind of feature. >From this page(http://docs.opscode.com/auth_authorization.html), we can see difference between open source chef and Hosted Chef. Grant chef-validator the admin privileges is not a good practice, so I tried to find some others. >From chef server's log, we can see: 2013-09-05T07:39:20Z [email protected] INFO req_id=h4iGmUY1a4BROpd8FUXe8Q==; status=403; method=GET; path=/clients; user=chef-validator; msg={forbidden}; req_time=2; rdbms_time=0; rdbms_count=1 Oh, maybe that is just the reason! In chef, API of "/clients" require admin privileges, but API of "/clients/NAME" doesNOT require admin privilege. for chef-validator, it can access /clients/NAME (or knife client show chef-validator), but it canNOT access /clients(or knife client list). So I modified the following code, it works! $ cd /var/www/scalr/src/Scalr/UI/Controller/Services/Chef $ diff Servers.php.org Servers.php 77c77,78 < $response = $chef->getClient(); --- > #$response = $chef->getClient(); > $response = $chef->getClient($this->getParam('userVName')); Is that right? I think it is better not to change chef-validator's privilege to fix the problem. Expect your advice, thanks in advance! Leo -- You received this message because you are subscribed to the Google Groups "scalr-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
