We should document what are the min privileges for the client to need in order to function. Looking at the docs: https://docs.chef.io/auth.html it seems like read and delete are what is needed. I willl confirm and update here my findings.

Here is an example of not having enough privileges:

Got 1 messages
Looking at message number 0
Failed to remove chef node: The Chef Server actively refused to fulfill the request.

    {"error":["missing read permission"]}
Removed ip-10-38-140-185.us-west-2.compute.internal from Sensu

It would be great to document that. I created a chef user 'awscleaner' and put it in the users group. By default members of the users group have create, update, delete, grant permissions. At a minimum you need read and delete permissions on nodes and clients.

Cool that's what I was gonna try. I can pr some doc on that when I get that
set up after lunch.

Please excuse brevity on mobile,
Ben Abrams

On Oct 7, 2016 12:43 PM, "Eric Heydrick" notifications@github.com wrote:

It would be great to document that. I created a chef user 'awscleaner' and
put it in the users group. By default members of the users group have
create, update, delete, grant permissions. At a minimum you need read and
delete permissions on nodes and clients.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#7 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AC_9pxKN9POWQGPZ8gz9H3YRf5X0Sb-4ks5qxqDpgaJpZM4KRT7m
.