CHEF-4011 - default location of "encrypted_data_bag_secret" should be set in Chef::Config #682

Closed
wants to merge 11 commits into
from

5 participants

@schisamo
Chef Software, Inc. member
  • moved default encrypted data bag secret file path to Chef::Config[:encrypted_data_bag_secret]
  • added --secret and --secret-file options to knife bootstrap. This approach is more explicit than the previous approach of reading the path to the secret key from the encrypted_data_bag_secret value in the knife.rb file. For backward compatibility we will still attempt to load a key from Chef::Config[:encrypted_data_bag_secret].
  • Updated all bootstrap templates to properly read secret from bootstrap context object.
  • Added deprecation warning to knife bootsrap that is displayed if a user has an 'encrypted_data_bag_secret' entry in their knife.rb file.
  • Full test coverage for the above.
  • Modernized associated RSpec examples.

Individual commits contain in depth detail about each change.

schisamo added some commits Mar 17, 2013
@schisamo schisamo add missing do/end in bootstrap_spec 845e7cd
@schisamo schisamo modern RSpec update for boostrap_context_spec
* prefer `subject` and `let` blocks to instance variables and before
  blocks
* `eq` instead of `==`
9e4f000
@seth seth commented on the diff Mar 18, 2013
lib/chef/config.rb
@@ -270,6 +270,17 @@ def self.formatters
# `node_name` of the client.
client_key platform_specific_path("/etc/chef/client.pem")
+ # This secret is used to decrypt encrypted data bag items.
+ encrypted_data_bag_secret platform_specific_path("/etc/chef/encrypted_data_bag_secret")
+
+ # We have to check for the existence of the default file before setting it
+ # since +Chef::Config[:encrypted_data_bag_secret]+ is read by older
+ # bootstrap templates to determine if the local secret should be uploaded to
+ # node being bootstrapped. This should be removed in Chef 12.
@seth
Chef Software, Inc. member
seth added a line comment Mar 18, 2013

Would it make sense to add code here that detects Chef version and issues a warning if 12?

@schisamo
Chef Software, Inc. member
schisamo added a line comment Mar 18, 2013

Maybe, I felt it was out of scope for this fix. For now we will be adding an entry to:
http://wiki.opscode.com/display/chef/Chef+12+Release+Checklist

I think we can think about a more general deprecation warning system.

@seth
Chef Software, Inc. member
seth added a line comment Mar 18, 2013

WFM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@seth seth commented on the diff Mar 18, 2013
lib/chef/knife/bootstrap.rb
@@ -228,6 +238,22 @@ def ssh_command
command
end
+ def warn_chef_config_secret_key
+ unless Chef::Config[:encrypted_data_bag_secret].nil?
@seth
Chef Software, Inc. member
seth added a line comment Mar 18, 2013

I know it's lame, but I find !if sooo much easier to read.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@danielsdeleo danielsdeleo commented on an outdated diff Mar 18, 2013
spec/unit/encrypted_data_bag_item_spec.rb
end
end
end
context "when decrypting a version 0 (YAML+aes-256-cbc+no iv) encrypted value" do
- before do
- @encrypted_value = Version1Encryptor.encrypt_value({"foo" => "bar"}, "passwd")
-
- @decryptor = Chef::EncryptedDataBagItem::Decryptor.for(@encrypted_value, "passwd")
+ let(:encrypted_value) do
+ Version1Encryptor.encrypt_value(plaintext_data, encryption_key)
@danielsdeleo
Chef Software, Inc. member
danielsdeleo added a line comment Mar 18, 2013

As long as you're cleaning things up, want to fix my mistake and rename this class Version0Encryptor? Class defn. is at the top of the file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@seth seth commented on an outdated diff Mar 18, 2013
lib/chef/knife/bootstrap.rb
@@ -228,6 +238,22 @@ def ssh_command
command
end
+ def warn_chef_config_secret_key
+ unless Chef::Config[:encrypted_data_bag_secret].nil?
+ ui.warn "* " * 40
+ ui.warn(<<-WARNING)
+Specifying the encrypted data bag secret key using an 'encrypted_data_bag_secret'
+entry in 'knife.rb' has been deprecated. Please use the '--secret' or
@seth
Chef Software, Inc. member
seth added a line comment Mar 18, 2013

s/has been /is/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@danielsdeleo danielsdeleo commented on the diff Mar 18, 2013
spec/unit/config_spec.rb
@@ -261,6 +261,33 @@
end
end
+ describe "Chef::Config[:encrypted_data_bag_secret]" do
+ db_secret_default_path = "/etc/chef/encrypted_data_bag_secret"
+ let(:db_secret_default_path){ db_secret_default_path }
+
+ before do
+ File.stub(:exist?).with(db_secret_default_path).and_return(secret_exists)
+ # ugh...the only way to properly test this since the conditional
+ # is evaluated at file load/require time.
+ $LOADED_FEATURES.delete_if{|f| f =~ /chef\/config\.rb/}
@danielsdeleo
Chef Software, Inc. member
danielsdeleo added a line comment Mar 18, 2013

Probably need to save and restore the state of Chef::Config so changes are isolated from other tests.

@danielsdeleo
Chef Software, Inc. member
danielsdeleo added a line comment Mar 19, 2013

Missed that one, of course.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@seth seth commented on the diff Mar 18, 2013
spec/unit/encrypted_data_bag_item_spec.rb
it "serializes the value in a de-serializable way" do
- encryptor = Chef::EncryptedDataBagItem::Encryptor.new(5, "passwd")
@seth
Chef Software, Inc. member
seth added a line comment Mar 18, 2013

not really relevant to this PR, but I find the DRYing up of specs this way to lose the point of the test and make them harder to read. We are going from completely clear to abstracted and I think that's the wrong thing for tests.

@schisamo
Chef Software, Inc. member
schisamo added a line comment Mar 18, 2013

@seth I would disagree. I believe you can have your cake and eat it too. We are still using a named subject which alllows you to keep context on what is being tested while reaping benefit of DRYing up the examples. The use of the let blocks also ensures the individual examples are completely isolated. Instance variables in tests have the nasty tendency of hard to track down side effects.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@danielsdeleo danielsdeleo commented on the diff Mar 18, 2013
spec/unit/knife/bootstrap_spec.rb
it "should take the node name from ARGV" do
@knife.name_args = ['barf']
@knife.name_args.first.should == "barf"
end
- describe "when configuring the underlying knife ssh command"
+ describe "specifying the encrypted data bag secret key" do
+ subject(:knife) { described_class.new }
+ let(:secret) { "supersekret" }
+ let(:secret_file) { File.join(CHEF_SPEC_DATA, 'bootstrap', 'encrypted_data_bag_secret') }
+ let(:options) { [] }
+ let(:template_file) { File.expand_path(File.join(CHEF_SPEC_DATA, "bootstrap", "secret.erb")) }
+ let(:rendered_template) do
@danielsdeleo
Chef Software, Inc. member
danielsdeleo added a line comment Mar 18, 2013

Would it be better to refactor the knife code to be more testable? Looks like this duplicates the logic from the knife code...

@schisamo
Chef Software, Inc. member
schisamo added a line comment Mar 18, 2013

@danielsdeleo For sure, but that was WAY more involved of a task than I have time for in this fix. We also need to created some shared examples and shared contexts for each the knife specs overall.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
schisamo added some commits Mar 18, 2013
@schisamo schisamo modern RSpec update for encrypted_data_bag_item_spec
* prefer `subject` and `let` blocks to instance variables and before
  blocks
* `eq` instead of `==`
* remove the 'shoulds' from example descriptions
f24031a
@schisamo schisamo prefer `File.exist?` to `File.exists?`
File.exists? was deprecated in Ruby 1.9
3bf2f32
@schisamo schisamo [CHEF-4011] move default secret file path to Chef::Config
* Remove references to DEFAULT_SECRET_FILE from
`Chef::EncryptedDataBagItem`.
* Add new `:encrypted_data_bag_secret` value to `Chef::Config`
* Ensure Chef::Config[:encrypted_data_bag_secret] is nil if the secret
  does not exist at the default path.
* Updated test coverage in `config_spec` and
  `encrypted_data_bag_item_spec`.
34a5456
@schisamo schisamo [CHEF-4011] `--secret` and `--secret-file` options for `knife bootstrap`
This commit adds new CLI options to `knife bootstrap` for specifying
encrypted data bag secret key (actual string or file) at node bootstrap
time. This approach is more explicit than the previous approach of
reading the path to the secret key from the `encrypted_data_bag_secret`
value in the knife.rb file. For backward compatibility we will still
attempt to load a key from Chef::Config[:encrypted_data_bag_secret].
b532c23
@schisamo schisamo [CHEF-4011] update bootstrap templates to read secret from context 3f6f1a5
@schisamo schisamo [CHEF-4011] add secret in knife.rb deprecation warning
This warning should only be displayed if a user has an
'encrypted_data_bag_secret' entry in their knife.rb file.
814521a
@schisamo schisamo Fix trailing whitespace. >_< e9b4f5c
@schisamo schisamo [CHEF-4011] s/Version1Decryptor/Version0Decryptor/
This properly matches the code in `Chef::EncryptedDataBagItem`:

* Version0Decryptor == legacy YAML-based format
* Version1Decryptor == preferred JSON-based format
f580dab
@danielsdeleo danielsdeleo and 1 other commented on an outdated diff Mar 20, 2013
lib/chef/knife/bootstrap.rb
@@ -228,6 +238,22 @@ def ssh_command
command
end
+ def warn_chef_config_secret_key
+ unless Chef::Config[:encrypted_data_bag_secret].nil?
+ ui.warn "* " * 40
+ ui.warn(<<-WARNING)
+Specifying the encrypted data bag secret key using an 'encrypted_data_bag_secret'
+entry in 'knife.rb' is deprecated. Please use the '--secret' or '--secret-file'
+options of this command instead.
+
+#{ui.color('IMPORTANT:', :red, :bold)} In a future version of Chef, this
@danielsdeleo
Chef Software, Inc. member
danielsdeleo added a line comment Mar 20, 2013

It's possible for users to set knife[:secret_file] = "/etc/foo" To configure data bag secret to be distributed to all bootstrapped machines. We should mention this in the warning so users who want that behavior can still get it without triggering a warning.

@schisamo
Chef Software, Inc. member
schisamo added a line comment Mar 20, 2013

@danielsdeleo roger, will get that in there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@btm btm commented on the diff Mar 20, 2013
spec/data/bootstrap/secret.erb
@@ -0,0 +1,9 @@
+bash -c '
+<% if encrypted_data_bag_secret -%>
+awk NF > /etc/chef/encrypted_data_bag_secret <<'EOP'
@btm
Chef Software, Inc. member
btm added a line comment Mar 20, 2013

awk NF doesn't work on itcy-beard platforms, might wanna consider that. Otherwise we will some other day.

http://tickets.opscode.com/browse/CHEF-3471

@schisamo
Chef Software, Inc. member
schisamo added a line comment Mar 20, 2013

@btm That was taken right out of all the existing bootstrap templates. O_o It shouldn't be a hug deal for the specs since we don't actually do a bootstrap with this file...just evaluate the ERB and verify the resulting file is correct:
https://github.com/opscode/chef/blob/CHEF-4011/spec/unit/knife/bootstrap_spec.rb#L153

@btm
Chef Software, Inc. member
btm added a line comment Apr 1, 2013

Yeah, the existing bootstrap templates need to be awk-free, and will be post CHEF-3471 getting merged. Agree, not a concern, but a pattern we want to eradicate some day.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@schisamo schisamo [CHEF-4011] improve deprecation message
* Add a reference to CHEF-4011 for users who want 
  more information on the deprecation.
* Give users a pointer that `knife[:secret_file]` may still be used for
  previous behavior.
8b70c96
@btm
Chef Software, Inc. member

Merged to master.

@btm btm closed this Apr 11, 2013
@sethvargo sethvargo deleted the CHEF-4011 branch Jul 3, 2013
@ichilton

I'm getting the deprecated warning...presumably because i've got this in my ~/.chef/knife.rb:

knife[:secret_file] = "#{home_dir}/.chef/encrypted_data_bag_secret"

but this change seems to be talking about [:encrypted_data_bag_secret]?

If I remove the above from my knife.rb, then my encrypted_data_bag_secret file won't be automatically distributed to nodes on bootstrap, right?

Is there a way to automatically do that without specifying command line options to knife bootstrap?
(I don't bootstrap directly with knife bootstrap, but with plugins like knife digital_ocean which call bootstrap in their code but obviously don't have those options).

Thanks,

Ian

@arr-dev

I have the same issue as @ichilton.
If I remove encrypted_data_bag_secret from knife.rb, the file is not uploaded to new servers,
even though I have knife[:secret_file] in knife.rb

@schisamo
Chef Software, Inc. member

@ichilton @soul-rebel Looks like the deprecation warning gives a bad config key. 😦

Drop the knife bit and just try:

secret_file = "/path/to/your/secret/file"

It appears CHEF-4509 was opened for this issue.

@schisamo
Chef Software, Inc. member

@ichilton @soul-rebel actually scratch that, this appears to be a bug. I will work on a fix today as part of fixing CHEF-4509.

@ichilton

That would be great - thanks.

Please update on your progress :)

@hairihan

Hi @ichilton @soul-rebel @schisamo ,
I have the similar problem as @ichilton.
I really want you to help me - -#

  1. knife.rb files like this.

#encrypted_data_bag_secret "#{current_dir}/encrypted_data_bag_secret"
////////knife[:secret] = "qrXXXXXX="
knife[:secret_file] = "#{current_dir}/encrypted_data_bag_secret"

2 . Use the following command to save password to chefserver.

knife data bag create --secret-file ~/.chef/encrypted_data_bag_secret secrets mysql

  1. Add the following at the top of /cookbooks/mysql/recipes/server.rb:

secrets = Chef::EncryptedDataBagItem.load("secrets", "mysql")
if secrets && mysql_passwords = secrets[node.chef_environment]
node['mysql']['server_root_password'] = mysql_passwords['root']
node['mysql']['server_debian_password'] = mysql_passwords['debian']
node['mysql']['server_repl_password'] = mysql_passwords['repl']
end
4. And then, the following error messages were displayed.

Recipe Compile Error in /var/chef/cache/cookbooks/mysql/recipes/server.rb
TypeError
can't convert nil into String
Cookbook Trace:
/var/chef/cache/cookbooks/mysql/recipes/server.rb:2:in `from_file'
Relevant File Content:
/var/chef/cache/cookbooks/mysql/recipes/server.rb:
1: # Customization: get passwords from encrypted data bag
2>> secrets = Chef::EncryptedDataBagItem.load("secrets", "mysql")

I have read your post at https://tickets.opscode.com/browse/CHEF-4011
But I do not understand it clearly, could you explain to me in more details?
how to "moved default encrypted data bag secret file path to Chef::Config[:encrypted_data_bag_secret]"?

Sorry for long post.

@schisamo
Chef Software, Inc. member

@tongkang I think you are confusing 2 different things. Now that CHEF-4509 has been fixed with Chef 11.8.0+ you would specify the path to your encrypted data bag secret file in your knife.rb as follows:

knife[:secret_file] = "/some/local/path/encrypted_data_bag_secret"

If this value is set in knife.rb you will not need to pass the --secret-file option to the following knife commands:

knife bootstrap
knife data bag create
knife data bag edit
knife data bag from file
knife data bag show

For nodes that will need the secret to decrypt data bag items during a Chef run they would still specify the path to the secret in your client.rb as follows:

encrypted_data_bag_secret "/path/to/the/secret"

I recommend leveraging knife bootstrap as it does the heavy lifting of transferring the secret to the node being bootstrapped AND ensures your client.rb is configured correctly.

@hairihan

@schisamo Thank you very much,
I do misunderstand the CHEF-4509 .I found that the point of my problem is make sure the following will be add to the file

/etc/chef/client.rb
in EC2 intend to provision.
encrypted_data_bag_secret "/path/to/the/secret" 

Thanks a lot.

I try using knife bootstrap to make sure that the

/etc/chef/client.rb 
file at EC2 will updated ,when I use the knife ec2 server create command at my workstation. Howerver, it is did not work well.
What I want to do is "Provisioning a LAMP stack with Chef EC2"
It is similar to following blog.
http://blog.fungibleclouds.com/blog/2012/12/09/using-chef-to-deploy-cloud-applications/

For now, files are looks like follows:

 # knife.rb
current_dir = File.dirname(__FILE__)
log_level                :info
log_location             STDOUT
node_name                "tongkang"
client_key               "#{current_dir}/tongkang.pem"
validation_client_name   "tongkang-validator"
validation_key           "#{current_dir}/tongkang-validator.pem"
chef_server_url          "https://api.opscode.com/organizations/tongkang"
cache_type               'BasicFile'
cache_options( :path => "#{ENV['HOME']}/.chef/checksums" )
cookbook_path            ["#{current_dir}/../testChefVagrantAws/chef-repo/cookbooks"]
cookbook_copyright       "tongkang"
cookbook_email           "x@email.com"
cookbook_license         "apachev2"
knife[:aws_access_key_id] = 'Axxxxxxxxxxxxxxx'
knife[:aws_ssh_key_id] = 'aws-2013'
knife[:aws_secret_access_key] = 'bKXxxxxxxxxxxxxxxxxxx' 
knife[:secret_file] = "#{current_dir}/encrypted_data_bag_secret"
knife[:distro] = "ubuntu12.04-gems.erb"

I found that default template do not work well, so i try to modify the default ubuntu12.04-gems.erb as following.But it seems not work well.


# .chef/bootstrap/ubuntu12.04-gems.erb
bash -c '
<%= "export http_proxy=\"#{knife_config[:bootstrap_proxy]}\"" if knife_config[:bootstrap_proxy] -%>
if [ ! -f /usr/bin/chef-client ]; then
  echo "chef    chef/chef_server_url    string  <%= @chef_config[:chef_server_url] %>" | debconf-set-selections
  [ -f /etc/apt/sources.list.d/opscode.list ] || echo "deb http://apt.opscode.com precise-0.10 main" > /etc/apt/sources.list.d/opscode.list
  wget <%= "--proxy=on " if knife_config[:bootstrap_proxy] %>-O- http://apt.opscode.com/packages@opscode.com.gpg.key | apt-key add -
fi
apt-get update
apt-get install -y chef
(
cat <<'EOP'
<%= validation_key %>
EOP
) > /tmp/validation.pem
awk NF /tmp/validation.pem > /etc/chef/validation.pem
rm /tmp/validation.pem
<% if @chef_config[:encrypted_data_bag_secret] -%>
(
cat <<'EOP'
<%= encrypted_data_bag_secret %>
EOP
) > /tmp/encrypted_data_bag_secret
awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret
rm /tmp/encrypted_data_bag_secret
<% end -%>
<% unless @chef_config[:validation_client_name] == "chef-validator" -%>
[  `grep -qx "validation_client_name \"<%= @chef_config[:validation_client_name] %>\"" /etc/chef/client.rb` ] || echo "validation_client_name \"<%= @chef_config[:validation_client_name] %>\"" >> /etc/chef/client.rb
<% end -%>
<% if @config[:chef_node_name] %>
[ `grep -qx "node_name \"<%= @config[:chef_node_name] %>\"" /etc/chef/client.rb` ] || echo "node_name \"<%= @config[:chef_node_name] %>\"" >> /etc/chef/client.rb
<% end -%>
<% if knife_config[:bootstrap_proxy] %>
echo 'http_proxy  "knife_config[:bootstrap_proxy]"' >> /etc/chef/client.rb
echo 'https_proxy "knife_config[:bootstrap_proxy]"' >> /etc/chef/client.rb
<% end -%>
(
cat <<'EOP'
<%= { "run_list" => @run_list }.to_json %>
EOP
) > /etc/chef/first-boot.json
<%= start_chef %>'

I do not know why the client.rb did not updated.
Is there any way to debug the templete file?
Can you help me once more time?
Sorry for write a lot and poor english.

@schisamo
Chef Software, Inc. member

@tongkang What version of Chef is installed on your local workstation? The fix for CHEF-4509 will be part of 11.8.0 which hasn't been released yet. This explains why your encrypted data bag secret is not being transferred to the node being bootstrapped. As the bug reported in CHEF-4509 only affects specifying a secret file in knife.rb you can still specify the --secret-file option while executing knife bootstrap and things should work as expected.

I would also recommend just using the chef-full bootstrap script. This is the default if you do not specify anything for the -d or --template-file options when executing knife bootstrap.

@hairihan

@schisamo Thank you so much,
chef version that I installed in my workstation:

$ chef-client --version
Chef: 11.6.2

I use the
knife ec2 plugin instead of knife bootstrap
I think it is contains similar functions between knife ec2 plugin and knife bootstrap.
knife ec2 command I used:

knife ec2 server create \
    -S aws -i ~/.ssh/XXXaws-2013.pem \
    -g quicklaunch-1 \
    -x ubuntu \
    -d ubuntu12.04-gems \
    -E prod \
    -I "ami-70f96e40" \
    -f t1.micro \
    -r "role[base],role[db_master],role[webserver]" \
    -Z us-west-2a \
    --region us-west-2 

But I didn't find --secret-file options in knife ec2 server create commands can be used.

@schisamo
Chef Software, Inc. member

@tongkang it appears to exist in the master branch of knife-ec2:
https://github.com/opscode/knife-ec2/blob/master/lib/chef/knife/ec2_server_create.rb#L183-L186
chef/knife-ec2@c289391

You should be able to install this unreleased version by cloning the source and running rake install.

Hopefully an updated version of knife-ec2 will be released soon with this change. /cc @adamedx

@hairihan

@schisamo Thanks a lot ,Ignore the previous post.
The problem have been solved !!!
I have spent 3days in this problem, thank you very much。

@schisamo
Chef Software, Inc. member

@tongkang Glad things are working for you! Sorry you had to deal with so many problems, we are working hard to make Chef more delightful to use.

@hairihan

@schisamo
sorry to ask you again but I find that I could not access to the mysql by using the password set in encrypted_data_bag_secret.Like below:

$ mysql -u root -p
Enter password: Type "password"
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

knife data bag create --secret-file ~/.chef/encrypted_data_bag_secret secrets mysql
{
  "id": "mysql",
  "prod": {
    "root": "password",
    "repl": "password",
    "debian": "password"
  },
  "dev": {
    "root": "password",
    "repl": "password",
    "debian": "password"
  }
}

I run the knife data bag show secrets mysql --secret-file ~/.chef/encrypted_data_bag_secret
commands on my workstation and get the following result.

dev:
  debian: password
  repl:   password
  root:   password
id:   mysql
prod:
  debian: password
  repl:   password
  root:   password

I'm also tried to Provision a VM using vagrant.

#Vagrantfile
Vagrant::Config.run do |config| 
  config.vm.box = "precise64"
  config.vm.forward_port 80, 8080

  config.vm.customize [
    "modifyvm", :id,
    "--name", "LAMP VM",
    "--memory", "1024"
  ]

  config.vm.network :hostonly, "10.0.0.23"
  config.vm.host_name = "lamp-vm"
  config.vm.share_folder("v-root", "/home/vagrant/apps", ".", :nfs => true) 

  # Your organization name for hosted Chef 
  orgname = "tongkang"

  # Set the Chef node ID based on environment variable NODE, if set. Otherwise default to vagrant-$USER
  node = ENV['NODE']
  node ||= "vagrant-#{ENV['USER']}"

  config.vm.provision :chef_client do |chef|
    chef.chef_server_url = "https://api.opscode.com/organizations/#{orgname}"
    chef.validation_key_path = "#{ENV['HOME']}/.chef/#{orgname}-validator.pem"
    chef.validation_client_name = "#{orgname}-validator"
    chef.encrypted_data_bag_secret_key_path = "#{ENV['HOME']}/.chef/encrypted_data_bag_secret"
    chef.node_name = "#{node}"
    chef.provisioning_path = "/etc/chef"
    chef.log_level = :debug
    #chef.log_level = :info

    chef.environment = "dev" 
    chef.add_role("base")
    chef.add_role("db_master")
    chef.add_role("webserver")

    #chef.json.merge!({ :mysql_password => "foo" }) # You can do this to override any default attributes for this node.
  end 
end

But also get the following message:
FATAL: Net::HTTPServerException: 403 "Forbidden"
Node Permission at OPSCODE Manage site look likes:
2013-10-24 2 13 07 pm

I think there are maybe some same factor with these two problem.
Could you help me?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment