How Can I Recover The Pivotal User After Accidental Deletion?

Sean Horn -

The pivotal user should never be deleted or altered, as it has privileges on the Users container that no other identity has, namely the CREATE ace for the global Users container. This situation will be improving somewhat post Chef Server 12.3.1

If you are already in the situation where the pivotal user has been deleted and are on a Chef Server 12.x release 12.3.1 or lower, you can recover the pivotal user with the following annotated steps.


# create pivotal's public key from /etc/opscode/pivotal.pem and store in an accessible location

openssl rsa -in /etc/opscode/pivotal.pem -pubout > /var/opt/opscode/postgresql/9.2/data/
# get the pivotal user's authz_id and store in an accessible location

echo "SELECT authz_id FROM auth_actor WHERE id = 1" | su -l opscode-pgsql -c 'psql bifrost -tA' | tr -d '\n' > /var/opt/opscode/postgresql/9.2/data/pivotal.authz_id

# create the pivotal user's record 

echo "INSERT INTO users (id, authz_id, username, email, pubkey_version, public_key, serialized_object, last_updated_by, created_at, updated_at) VALUES (md5(random()::text), pg_read_file('pivotal.authz_id'), 'pivotal', '', 0, pg_read_file(''), '{\"first_name\":\"Clark\",\"last_name\":\"Kent\",\"display_name\":\"Clark Kent\"}', pg_read_file('pivotal.authz_id'), LOCALTIMESTAMP, LOCALTIMESTAMP);" | su -l opscode-pgsql -c 'psql opscode_chef'

# delete the temporary files

rm /var/opt/opscode/postgresql/9.2/data/ /var/opt/opscode/postgresql/9.2/data/pivotal.authz_id



If you have a pivotal user in your database, but the /etc/opscode/pivotal.pem doesn't match the public key stored in the keys table for that user on a Chef Server 12.6.x and up system, you can UPDATE that key like this after doing the openssl rsa command in the first command line example above to get your public key out in the format we will need to UPDATE the database.

echo "SELECT id FROM users WHERE username='pivotal'" | su -l opscode-pgsql -c 'psql opscode_chef -tA' | tr -d '\n' > /var/opt/opscode/postgresql/9.2/data/pivotal_id
echo "UPDATE keys SET (public_key) = (pg_read_file('')) WHERE id=(pg_read_file('pivotal_id'))" | su -l opscode-pgsql -c 'psql opscode_chef -tA'
Have more questions? Submit a request


Powered by Zendesk