Monday, September 13, 2010

Authorization error with API user knife initialization `knife configure -i`

Notice these errors. First error shows the API user of knife (root) failed to authenticate:


# knife client list
WARN: HTTP Request Returned 401 Unauthorized: Failed to authenticate!
/usr/lib/ruby/1.8/net/http.rb:2101:in `error!': 401 "Unauthorized" (Net::HTTPServerException)
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest.rb:217:in `api_request'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest.rb:268:in `retriable_rest_request'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest.rb:198:in `api_request'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest.rb:101:in `get_rest'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/api_client.rb:185:in `list'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/knife/client_list.rb:35:in `run'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/application/knife.rb:115:in `run'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/bin/knife:25
from /usr/bin/knife:19:in `load'
from /usr/bin/knife:19

so I tried to re-initialize API user (root). And encountered another authentication failure (this time with webui client user (see chef-server log that follows).

# knife configure -i
Overwrite /root/.chef/knife.rb? (Y/N) Y
Please enter the chef server URL: [http://localhost:4000]
Please enter a clientname for the new client: [root]
Please enter the existing admin clientname: [chef-webui]
Please enter the location of the existing admin client's private key: [/etc/chef/webui.pem]
Please enter the validation clientname: [chef-validator]
Please enter the location of the validation key: [/etc/chef/validation.pem]
Please enter the path to a chef repository (or leave blank):
WARN: Creating initial API user...
FATAL: Failed to read the private key /etc/chef/webui.pem: #, /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest/auth_credentials.rb:59:in `read'/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest/auth_credentials.rb:59:in `load_signing_key'/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest/auth_credentials.rb:33:in `initialize'/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest.rb:41:in `new'/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest.rb:41:in `initialize'/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/api_client.rb:232:in `new'/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/api_client.rb:232:in `save'/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/knife/client_create.rb:55:in `run'/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/knife/configure.rb:86:in `run'/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/application/knife.rb:115:in `run'/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/bin/knife:25/usr/bin/knife:19:in `load'/usr/bin/knife:19
/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest/auth_credentials.rb:62:in `load_signing_key': I cannot read /etc/chef/webui.pem, which you told me to use to sign requests! (Chef::Exceptions::PrivateKeyMissing)
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest/auth_credentials.rb:33:in `initialize'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest.rb:41:in `new'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest.rb:41:in `initialize'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/api_client.rb:232:in `new'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/api_client.rb:232:in `save'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/knife/client_create.rb:55:in `run'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/knife/configure.rb:86:in `run'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/application/knife.rb:115:in `run'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/bin/knife:25
from /usr/bin/knife:19:in `load'
from /usr/bin/knife:19

This is the chef-server log that gives hint it is webui that is failing to authenticate:

2010-09-13_15:13:48.61008 INFO: Authenticating client chef-webui
2010-09-13_15:13:48.63105 merb : worker (port 4000) ~ Started request handling: Mon Sep 13 08:13:48 -0700 2010
2010-09-13_15:13:48.63110 merb : worker (port 4000) ~ Params: {"name"=>"root", "action"=>"create", "admin"=>true, "controller"=>"clients"}
2010-09-13_15:13:48.63112 merb : worker (port 4000) ~ Failed to authenticate! - (Merb::ControllerExceptions::Unauthorized)
2010-09-13_15:13:48.63165 /usr/lib/ruby/gems/1.8/gems/chef-server-api-0.9.6/app/controllers/application.rb:50:in `authenticate_every'
2010-09-13_15:13:48.63166 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:352:in `send'
2010-09-13_15:13:48.63167 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:352:in `_call_filters'
2010-09-13_15:13:48.63169 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:344:in `each'
2010-09-13_15:13:48.63170 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:344:in `_call_filters'
2010-09-13_15:13:48.63171 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:286:in `_dispatch'
2010-09-13_15:13:48.63172 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:284:in `catch'
2010-09-13_15:13:48.63175 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:284:in `_dispatch'
2010-09-13_15:13:48.63176 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/merb_controller.rb:285:in `_dispatch'
2010-09-13_15:13:48.63177 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/merb_controller.rb:262:in `_call'
2010-09-13_15:13:48.63178 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/merb_controller.rb:252:in `call'
2010-09-13_15:13:48.63179 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/dispatch/dispatcher.rb:91:in `dispatch_action'
2010-09-13_15:13:48.63180 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/dispatch/dispatcher.rb:69:in `handle'
2010-09-13_15:13:48.63181 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/dispatch/dispatcher.rb:29:in `handle'
2010-09-13_15:13:48.63183 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/rack/application.rb:17:in `call'
2010-09-13_15:13:48.63184 /usr/lib/ruby/gems/1.8/gems/rack-1.0.0/lib/rack/content_length.rb:13:in `call'
2010-09-13_15:13:48.63185 /usr/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/connection.rb:76:in `pre_process'
2010-09-13_15:13:48.63186 /usr/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/connection.rb:74:in `catch'
2010-09-13_15:13:48.63188 /usr/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/connection.rb:74:in `pre_process'
2010-09-13_15:13:48.64712 /usr/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/connection.rb:57:in `process'
2010-09-13_15:13:48.64713 /usr/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/connection.rb:42:in `receive_data'
2010-09-13_15:13:48.64715 /usr/lib/ruby/gems/1.8/gems/eventmachine-0.12.8/lib/eventmachine.rb:242:in `run_machine'
2010-09-13_15:13:48.64716 /usr/lib/ruby/gems/1.8/gems/eventmachine-0.12.8/lib/eventmachine.rb:242:in `run'
2010-09-13_15:13:48.64717 /usr/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/backends/base.rb:57:in `start'
2010-09-13_15:13:48.64718 /usr/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/server.rb:156:in `start'
2010-09-13_15:13:48.64719 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/rack/adapter/thin.rb:30:in `start_server'
2010-09-13_15:13:48.64720 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/rack/adapter/abstract.rb:305:in `start_at_port'
2010-09-13_15:13:48.64721 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/rack/adapter/abstract.rb:138:in `start'
2010-09-13_15:13:48.64727 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/server.rb:174:in `bootup'
2010-09-13_15:13:48.64729 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/server.rb:42:in `start'
2010-09-13_15:13:48.64732 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core.rb:165:in `start'
2010-09-13_15:13:48.64733 /usr/lib/ruby/gems/1.8/gems/chef-server-api-0.9.6/bin/chef-server:75
2010-09-13_15:13:48.64734 /usr/bin/chef-server:19:in `load'
2010-09-13_15:13:48.64735 /usr/bin/chef-server:19
2010-09-13_15:13:48.64736 merb : worker (port 4000) ~ Params: {"name"=>"root", "action"=>"create", "admin"=>true, "controller"=>"clients"}
2010-09-13_15:13:48.64738 merb : worker (port 4000) ~ {:dispatch_time=>0.041183, :action_time=>0.008142, :after_filters_time=>3.2e-05, :before_filters_time=>0.002237}
2010-09-13_15:13:48.64739 merb : worker (port 4000) ~
2010-09-13_15:13:48.64740


Delete root and webui clients and delete corresponding keys (/root/.chef/root.pem and /etc/chef/webui.pem). Restart chef-server and you should get a new set of keys. Initialize a new API user (root):

# knife configure -i
Overwrite /root/.chef/knife.rb? (Y/N) Y
Please enter the chef server URL: [http://localhost:4000]
Please enter a clientname for the new client: [root]
Please enter the existing admin clientname: [chef-webui]
Please enter the location of the existing admin client's private key: [/etc/chef/webui.pem]
Please enter the validation clientname: [chef-validator]
Please enter the location of the validation key: [/etc/chef/validation.pem]
Please enter the path to a chef repository (or leave blank):
WARN: Creating initial API user...
INFO: Created (or updated) client[root]
WARN: Configuration file written to /root/.chef/knife.rb

Test API with knife

# knife client list

should give you a list of clients.