Chef-(server): What is the difference between client and user

Question

I have installed open-source chef-server (11.x). I am a newbie with chef. I can see that there are users with passwords and pub/priv keys (usually the knife users (@workstations)). There are also clients (chef-validator, nodes...) with pub/priv keys.

When I do knife configuration --initial it uses admin username and priv key to crate new workstation user for example johnnym. So admin user with key is powerful enough to create user,node,client,...etc.

But when I knife bootstrap ${FQDN} it requires a client with admin privileges (chef-validator) to be able to authn/authz to the chef-server and register new node/client.

My question is: Why do we separate client and user if they can accomplish the same tasks?

Answer 1

In the context of OSS Chef as is your case, a user also works as a client, with the added ability to use the Web UI via username/password combination.

What you're missing is the validator client key.

The validator is a special client that has one purpose only: to allow nodes to register themselves as clients on the Chef server. It's used from inside the node on the first Chef run. Once the node is registered, it's good practice to delete the validator key from the node.

When you run knife bootstrap it copies the key from your workstation to the node via SSH prior to running chef-client. The problem you're facing is probably either because you don't have the validator key on the workstation, or because knife is unable to find it (check your knife.rb file to see where it expects to find the key).