Summary
If you are upgrading a chef Automate instance from any version before 20200408145843 to any version after you may observe that chef-client runs begin to fail to forward their compliance or run data through the data-collector endpoint.
[2020-05-11T05:45:34-05:00] INFO: Report to Chef Automate via Chef Server: https://chefserver.com/organizations/csg/data-collector
[2020-05-11T05:45:34-05:00] ERROR: 403 "Forbidden" (Net::HTTPServerException)
You may also see 403: unauthorized members through the Automate UI dashboard when logged in via the browser.
Distribution
| Product | Version | Topology |
| Chef Automate | 20200408145843 + | Standalone |
Process
Plan
Preparation:
Existing Customers
For current Chef Automate Users, once the latest version of Automate is installed users will have access to the latest version of IAM. If you have auto-upgrade set up, be aware that the following will apply to you on the day of the release, April 13, 2020. If a customer has already been using IAM prior to this release, please see additional information:
- There will be no way to reset to IAM v1
- All IAM v1 policies will be migrated to IAM v2 as legacy policies
- It is advised that you move members of these legacy policies to the new policies and then delete the legacy policies
- If you do not want to migrate IAM v1 policies, you will need to upgrade before this release using
chef-automate iam upgrade-to-v2 --skip-policy-migration
- Anyone who had already upgraded to IAMv2 and created custom policies using infra:* may want to adjust those policies to use infra:nodeManagers:* and infra:nodes:* because infraServers is now under
infraand its intended that only admins be able to see and interact with infra servers - We recommend taking a new backup after new installation of Automate
Design: N/A
Configure
Evaluation:
You should check and confirm that if Automate has been upgraded that you have the relevant users/teams/tokens assigned to legacy policies.
Application:
In this release, users of Identity and Access Management v1 (IAM v1) automatically upgrade to Identity and Access Management v2 (IAM v2). All IAM v1 users, teams, tokens, and policies will migrate to IAM v2. Some details to keep in mind:
API Tokens created in the browser work differently in IAM v2. After creation, an API token will have zero permissions. Add the new API token to a policy to grant permissions.
If you wish to migrate your legacy policies across to IAM v2 you should check the permissions and their mappings on a per policy basis and migrate the respective members to their new policies. Any custom IAMv1 policies should be recreated and only once you have verified all members should you remove the legacy policies.
To do this you can either use the UI or the the API to administrate Automate. For a complete overview see the below link:
https://docs.chef.io/automate/iam_v2_guide/
Troubleshoot
Analysis:
To see all your generated policies please run the following command (note you will need an API Token with a administrative privileges to hand):
export TOKEN='<INSERT_A2_TOKEN_HERE>'
curl -k -s -H "api-token: $TOKEN" https://localhost/apis/iam/v2/policies -v | tee -a policies.json
take a note of the API token name, its respective assigned policy and its whether its corresponding value matches that configured on the chef-server or chef-client.
The same should apply to your SAML/LDAP teams or specific Administrator user policies. You should check that all member expressions conform to your expectations per https://docs.chef.io/automate/iam_v2_guide/#member-expressions
Remember that oftentimes policies are used in conjunction with SAML/LDAP which are external systems to Chef Automate with their own intricacies and are subject to change under their administrative teams. It is a good idea to reach out to your SAML/LDAP admin team and ensure everything is as it was before you noticed the issue.
Remediation:
Once you have these you can parse through them to understand whether the Ingest token you have assigned is in the respective ingest access/compliance access IAM policies. The same should apply to any users/teams and the mappings these require with regards to Owners/Administrators/Editors/Viewers roles in IAMv2. See https://docs.chef.io/automate/iam_v2_guide/#view-policies .
If the token is not assigned continue to follow the documentation to add it to the necessary IAMv2 policies and rerun the chef-client to observe whether a report now uploads as expected.
Appendix
Related Articles: N/A
Further Reading:
https://blog.chef.io/chef-automate-product-announcement-identity-and-access-management-release-2/
https://docs.chef.io/release_notes_automate/?v=20200408145843
https://docs.chef.io/automate/iam_v2_guide/
https://docs.chef.io/automate/iam_v2_guide/#member-expressions