Created
January 24, 2015 01:15
-
-
Save stevendanna/1eb99f01a2f0f22ba619 to your computer and use it in GitHub Desktop.
danger_add_users_to_global_admins_group
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/opt/opscode/embedded/bin/ruby | |
| require 'sequel' | |
| require 'json' | |
| require 'uri' | |
| require 'net/http' | |
| orgname = ARGV[0] | |
| if orgname.nil? | |
| STDERR.puts "usage: danger_add_users_to_global_admins_group ORGNAME" | |
| STDERR.puts "Please specify an organization name." | |
| exit 1 | |
| end | |
| running_config = JSON.parse(File.read("/etc/opscode/chef-server-running.json")) | |
| db_user = running_config['private_chef']['postgresql']['sql_user'] | |
| db_password = running_config['private_chef']['postgresql']['sql_password'] | |
| db_host = running_config['private_chef']['postgresql']['listen_address'] | |
| bifrost_su_id = running_config['private_chef']['oc_bifrost']['superuser_id'] | |
| @db = Sequel.connect(:adapter => 'postgres', :host => db_host, | |
| :database => 'opscode_chef', :user => db_user, | |
| :password => db_password, :convert_infinite_timestamps => :float) | |
| org_id = @db[:orgs].select(:id).where(:name => orgname).first[:id] | |
| global_admins_authz_id = @db[:groups].select(:authz_id).where(:name => "#{orgname}_global_admins", :org_id => '00000000000000000000000000000000').first[:authz_id] | |
| user_group_authz_id = @db[:groups].select(:authz_id).where(:name => "users", :org_id => org_id).first[:authz_id] | |
| uri = URI("http://localhost:9463/groups/#{global_admins_authz_id}/groups/#{user_group_authz_id}") | |
| req = Net::HTTP::Put.new(uri.request_uri) | |
| req['X-Ops-Requesting-Actor-Id'] = bifrost_su_id | |
| req['Content-Type'] = 'application/json' | |
| req.body = "{}" | |
| res = Net::HTTP.start(uri.hostname, uri.port) {|http| | |
| http.request(req) | |
| } | |
| if ! res.is_a?(Net::HTTPSuccess) | |
| puts res.body | |
| puts "Group update failed. /var/log/opscode/oc_bifrost/request.log.N is likely helpful" | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
IMPORTANT NOTE: The 'global admin' permission group internal to Chef is grossly mis-named. Global Admin to me implies "all the power everywhere forever in the entire network," but in Chef Internals parlance it means "can read all the other users and has this name because of where it was stored in CouchDB back in the day."
The "global admins" group is not exposed in the Chef Server UI.