Adding a Chef User

I’ve just started an ace new job and really enjoying getting to work with Chef. Coming from using Puppet for over a year, my head is still in the mindset of working out how to do things the Puppet way – some thing I’m finding better, some not so good, but all in all, it feels like a more ambitious project, and a lot of fun to play with.

One of the first things I’ve found is that the documentation isn’t so cohesive – there is a lot of it and it’s good, but nothing like the James Turnbull ‘Pro Puppet’ book to hold your hand and guide you. The one I found most useful initially was this post, however the one thing i wanted to get straight in my head was how to create admin users for Chef, which is glossed over in that brief tutorial, by using the web-ui. The Opscode site documentation for doing this can be found here, but again, kinda buried down there, and as it took me a while to find, I figured a quick post was worth it.

Aiight, so long winded introduction, but the gist of it is, after install you have one admin user and cert setup on the actual server during install which is for the webui. On my Debian Squeeze install, this live at /etc/chef/webui.pem and is mode 600, owned by user ‘chef’. We can use this user/cert to create a client user/cert for ourselves with:
sudo knife configure -i

^ Start with the URL for where you have installed the Chef server, then a name for your client. Notice where it asks for the existing admin username and location of the certificate – enter chef-webui for the user and the /etc/chef/webui.pem file i mentioned. Next it also asks for the validation client name and pem which is “a special account used to auto-register new nodes.” Go with the default clientname and again, the key file lives in /etc/chef.

If that all worked fine, you should now have two new files in your ~/.chef directory – your knife.rb file and a private key file.
As we ran that as sudo however, you’ll need to chown the files to your own username –
sudo chown -R $USER ~/.chef
Test that works by running
knife client list
which should then list the clients setup by the install like chef-validator and chef-webui, and most importantly your new username. If that worked fine, you can now copy the private key and knife.rb files to your own workstation, adjusting the file locations in the knife.rb as required.

With yourself now setup, you can create keys for other users with:
knife client create NEWUSER -d -a -f NEWUSER.pem
Securely copy that key to the new user and create/generate a suitable knife.rb file for them (e.g. by copying and adjusting your own), and you should be done, multiple admins!