Tuesday, November 11, 2014

Security Update: Hosted Chef [feedly]



----
Security Update: Hosted Chef
// Chef Blog

Later today, we will be rolling out an update to Hosted Chef that may impact your future use of data bag items in cookbooks. This change will remove the Chef Client's default permissions to 'create', 'update' and 'delete' data bags in newly-created organizations.

This means that if you create an organization today and proceed to add a recipe that modifies data bag content, any converge that includes that recipe will fail with a 403.

Why Change This?

Until now, Hosted Chef has defaulted to allowing Chef Client runs on a node to create, update and delete data bag contents. This presents a security risk, in that a bad actor with access to any managed node in your organization can potentially modify data bag contents with malicious intent.

While we understand the need for client runs to update data bags in some cases, we hope to increase awareness of the potential risk by requiring customers to explicitly enable this ability for their new organization(s).

We are not modifying existing organizations in order to prevent any impact to customers who are following this usage pattern.

What Do I Need To Do?

  • If you do not use recipes that modify data bags, you do not need to take action. However, we recommend that you remove these permissions from your existing data bag default permissions and existing data bags.
  • If you currently use recipes that modify data bags, you can continue to do so in your existing organization(s) without taking any action.
  • If you will use recipes that modify data bags in organizations you create on or after Nov 10, 2014, you will need to modify default data bag ACLs of any new organizations you create that will use those recipes.
  • In order to make any change to ACLs (as detailed below) administrative permissions are required.

Disable Chef Client C/U/D on new data bags

Using knife edit

Follow these steps to disable Create/Update/Delete of data bags from chef client in your existing organizations.

knife edit /acls/containers/data.json

Under the sections create, update, and delete, remove clients from the groups list, then save the file and close the editor.

Here is an example of an edited ACL document with only Read permissions enabled for clients, disabling Create, Update, and Delete. Note that this may differ for your organization if you have previously customized ACLs:

{ "create": { "actors": [ "pivotal" ], "groups": [ "admins", "users" ] }, "read": { "actors": [ "pivotal" ], "groups": [ "admins", "clients", "users" ] }, "update": { "actors": [ "pivotal" ], "groups": [ "admins", "users" ] }, "delete": { "actors": [ "pivotal" ], "groups": [ "admins", "users" ] }, "grant": { "actors": [ "pivotal" ], "groups": [ "admins" ] } }

Using knife-acl plugin

You can install the knife-acl plugin via gem install knife-acl, then modify ACLs as follows:

knife acl remove containers data update group clients
knife acl remove containers data delete group clients
knife acl remove containers data create group clients

Enable Chef Client C/U/D on new data bags

Follow these steps to enable Create/Update/Delete of data bags from chef client in any organizations created on or after Nov 10, 2014.

Using knife edit

knife edit /acls/containers/data.json

Under the section update, add clients to the groups list, then save the file and close the editor.

If you have cookbooks that are creating or deleting data bags or data you will also need to add clients to the groups list of both update and delete.

Here is an example of an edited ACL document with Create, Update, and Delete permissions enabled for clients. Note that this may differ for your organization if you have previously customized ACLs:

{ "create": {
"actors": [ "pivotal" ],
"groups": [ "admins", "clients", "users" ]
}, "read": {
"actors": [ "pivotal" ],
"groups": [ "admins", "clients", "users" ]
}, "update": {
"actors": [ "pivotal" ],
"groups": [ "admins", "clients", "users" ]
}, "delete": {
"actors": [ "pivotal" ],
"groups": [ "admins", "clients", "users" ]
}, "grant": {
"actors": [ "pivotal" ],
"groups": [ "admins" ]
}
}

Using knife-acl plugin

knife acl add containers data update group clients

If you have cookbooks that are creating or deleting data bags or data bag items, you will also need to add 'create' and 'delete' permissions respectively:

knife acl add containers data create group clients
knife acl add containers data delete group clients

Using manage.opscode.com

At this time, manage.opscode.com only supports removing the 'create' and 'read' privileges. Because of this, the necessary controls to enable/disable update and delete are not available.

Enabling/disabling C/U/D access on existing data bags

The changes above will modify the default permissions applied to any new data bags.

If you wish to modify all existing data bags, the following bash snippet gives an example using the knife acl permission: for bag in $(knife data bag list); do echo "Updating permissons on $bag." knife acl remove data $bag update group clients knife acl remove data $bag delete group clients knife acl remove data $bag create group clients done

You can find the full gist here.

Other Options

Note that Chef Server's RBAC controls allow you more fine-grained control than globally enabling/disabling these activities. For example you could create a group privileged-clients, set that group up with necessary CRUD access to the data container, and add those clients who require this access to it.

In this way, you could support a default behavior of disallowing updates from clients, while still permitting some clients access to do so. You can further extend this to only permit updates to specific data bags.

Chef Server Impacts

  • This change will be made the default behavior beginning in Chef Server 12 RC6
  • This behavior is the existing default in OSC 11.
  • This behavior will not be changed at this time in Enterprise Chef 11.
  • This behavior will not be changed in Private Chef 1.4

----

Shared via my feedly reader




Sent from my iPad

No comments:

Post a Comment