chef generate cookbook should not require elevated privileges on Windows

[tknerr]

Just tried chef cookbook generate foo on my Win7 laptop with ChefDK 0.2.0, but it failed with this error:

D:\Repos\_github\vagrant-chef-excercises\10-chef-solo-with-vagrant\solution>chef generate cookbook foo
Compiling Cookbooks...
Recipe: code_generator::cookbook
  * directory[D:/Repos/_github/vagrant-chef-excercises/10-chef-solo-with-vagrant/solution/foo] action create
    - create new directory D:/Repos/_github/vagrant-chef-excercises/10-chef-solo-with-vagrant/solution/foo
  * template[D:/Repos/_github/vagrant-chef-excercises/10-chef-solo-with-vagrant/solution/foo/metadata.rb] action create
    - create new file D:/Repos/_github/vagrant-chef-excercises/10-chef-solo-with-vagrant/solution/foo/metadata.rb
    ================================================================================
    Error executing action `create` on resource 'template[D:/Repos/_github/vagrant-chef-excercises/10-chef-solo-with-vagrant/solution/foo/metadata.rb]'
    ================================================================================

    Chef::Exceptions::WindowsNotAdmin
    ---------------------------------
    can not get the security information for 'D:/Repos/_github/vagrant-chef-excercises/10-chef-solo-with-vagrant/solution/foo/metadata.rb' due to missing Administrator privileges.

    Resource Declaration:
    ---------------------
    # In W:/tools/chefdk/embedded/apps/chef-dk/lib/chef-dk/skeletons/code_generator/recipes/cookbook.rb

      9: template "#{cookbook_dir}/metadata.rb" do
     10:   helpers(ChefDK::Generator::TemplateHelper)
     11: end
     12:

    Compiled Resource:
    ------------------
    # Declared in W:/tools/chefdk/embedded/apps/chef-dk/lib/chef-dk/skeletons/code_generator/recipes/cookbook.rb:9:in `from_file'

    template("D:/Repos/_github/vagrant-chef-excercises/10-chef-solo-with-vagrant/solution/foo/metadata.rb") do
      provider Chef::Provider::Template
      action "create"
      retries 0
      retry_delay 2
      guard_interpreter :default
      path "D:/Repos/_github/vagrant-chef-excercises/10-chef-solo-with-vagrant/solution/foo/metadata.rb"
      backup 5
      atomic_update true
      source "metadata.rb.erb"
      helper_modules [ChefDK::Generator::TemplateHelper]
      cookbook_name :code_generator
      recipe_name "cookbook"
    end

    Missing Windows Admin Privileges
    --------------------------------
    chef-client doesn't have administrator privileges. This can be a possible reason for the resource failure.

W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/file_content_management/deploy/mv_windows.rb:63:in `rescue in deploy': template[D:/Repos/_github/vagrant-chef-excercises/10-chef-solo-with-vagrant/solution/foo/metadata.rb] (code_generator::cookbook line 9) had an error: Chef::Exceptions::WindowsNotAdmin: can not get the security information for 'D:/Repos/_github/vagrant-chef-excercises/10-chef-solo-with-vagrant/solution/foo/metadata.rb' due to missing Administrator privileges. (Chef::Exceptions::WindowsNotAdmin)
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/file_content_management/deploy/mv_windows.rb:56:in `deploy'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/provider/file.rb:341:in `update_file_contents'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/provider/file.rb:372:in `block in do_contents_changes'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/mixin/why_run.rb:52:in `call'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/mixin/why_run.rb:52:in `add_action'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/provider.rb:156:in `converge_by'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/provider/file.rb:371:in `do_contents_changes'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/provider/file.rb:121:in `action_create'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/provider.rb:121:in `run_action'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/resource.rb:648:in `run_action'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/runner.rb:49:in `run_action'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/runner.rb:81:in `block (2 levels) in converge'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/runner.rb:81:in `each'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/runner.rb:81:in `block in converge'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/resource_collection.rb:98:in `block in execute_each_resource'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/resource_collection/stepable_iterator.rb:116:in `call'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/resource_collection/stepable_iterator.rb:116:in `call_iterator_block'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/resource_collection/stepable_iterator.rb:85:in `step'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/resource_collection/stepable_iterator.rb:104:in `iterate'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/resource_collection/stepable_iterator.rb:55:in `each_with_index'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/resource_collection.rb:96:in `execute_each_resource'
        from W:/tools/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/runner.rb:80:in `converge'
        from W:/tools/chefdk/embedded/apps/chef-dk/lib/chef-dk/chef_runner.rb:36:in `converge'
        from W:/tools/chefdk/embedded/apps/chef-dk/lib/chef-dk/command/generator_commands.rb:207:in `run'
        from W:/tools/chefdk/embedded/apps/chef-dk/lib/chef-dk/command/generate.rb:71:in `run'
        from W:/tools/chefdk/embedded/apps/chef-dk/lib/chef-dk/command/base.rb:57:in `run_with_default_options'
        from W:/tools/chefdk/embedded/apps/chef-dk/lib/chef-dk/cli.rb:66:in `run'
        from W:/tools/chefdk/embedded/apps/chef-dk/bin/chef:25:in `<top (required)>'
        from W:/tools/chefdk/bin/chef:52:in `load'
        from W:/tools/chefdk/bin/chef:52:in `<main>'

IMHO generating a cookbook should not require admin privileges.

[sersut]

Hrmmm.. We might be surfacing a wrong error here @tknerr. Here we are catching all the win32 API errors and surfacing a missing Administrator privileges error. This will not be correct for all the cases.

Can you share the output of icacls for D:/Repos/_github/vagrant-chef-excercises/10-chef-solo-with-vagrant/solution/foo? Also does it run when you have administrator privilages?

[sersut]

/cc: @adamedx

[smiskiewicz]

I have this problem too. Here is my output from what was requested.

C:\Dev>chef generate cookbook chefdkTest
Compiling Cookbooks...
Recipe: code_generator::cookbook
  * directory[C:/Dev/chefdkTest] action create
  - create new directory C:/Dev/chefdkTest
  * template[C:/Dev/chefdkTest/metadata.rb] action create
  - create new file C:/Dev/chefdkTest/metadata.rb←[0m
    ================================================================================
    Error executing action `create` on resource 'template[C:/Dev/chefdkTest/metadata.rb]'
    ================================================================================

    Chef::Exceptions::WindowsNotAdmin
    ---------------------------------
    can not get the security information for 'C:/Dev/chefdkTest/metadata.rb' due to missing Administrator privileges.

    Resource Declaration:
    ---------------------
    # In c:/opscode/chefdk/embedded/apps/chef-dk/lib/chef-dk/skeletons/code_generator/recipes/cookbook.rb

      9: template "#{cookbook_dir}/metadata.rb" do
     10:   helpers(ChefDK::Generator::TemplateHelper)
     11: end
     12:

    Compiled Resource:
    ------------------
    # Declared in c:/opscode/chefdk/embedded/apps/chef-dk/lib/chef-dk/skeletons/code_generator/recipes/cookbook.rb:9:in `from_file'

    template("C:/Dev/chefdkTest/metadata.rb") do
      provider Chef::Provider::Template
      action "create"
      retries 0
      retry_delay 2
      guard_interpreter :default
      path "C:/Dev/chefdkTest/metadata.rb"
      backup 5
      atomic_update true
      source "metadata.rb.erb"
      helper_modules [ChefDK::Generator::TemplateHelper]
      cookbook_name :code_generator
      recipe_name "cookbook"
    end

    Missing Windows Admin Privileges
    --------------------------------
    chef-client doesn't have administrator privileges. This can be a possible reason for the resource failure.

C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/file_content_management/deploy/mv_windows.rb:63:in `rescue in deploy': template[C:/Dev/chefdkTest/metadata.rb] (code_generator::cookbook line 9) had an error: Chef::Exceptions::WindowsNotAdmin: can not get the security information for 'C:/Dev/chefdkTest/metadata.rb' d
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/file_content_management/deploy/mv_windows.rb:56:in `deploy'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/provider/file.rb:341:in `update_file_contents'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/provider/file.rb:372:in `block in do_contents_changes'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/mixin/why_run.rb:52:in `call'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/mixin/why_run.rb:52:in `add_action'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/provider.rb:156:in `converge_by'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/provider/file.rb:371:in `do_contents_changes'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/provider/file.rb:121:in `action_create'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/provider.rb:121:in `run_action'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/resource.rb:648:in `run_action'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/runner.rb:49:in `run_action'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/runner.rb:81:in `block (2 levels) in converge'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/runner.rb:81:in `each'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/runner.rb:81:in `block in converge'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/resource_collection.rb:98:in `block in execute_each_resource'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/resource_collection/stepable_iterator.rb:116:in `call'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/resource_collection/stepable_iterator.rb:116:in `call_iterator_block'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/resource_collection/stepable_iterator.rb:85:in `step'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/resource_collection/stepable_iterator.rb:104:in `iterate'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/resource_collection/stepable_iterator.rb:55:in `each_with_index'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/resource_collection.rb:96:in `execute_each_resource'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/chef-11.14.0.rc.2-x86-mingw32/lib/chef/runner.rb:80:in `converge'
        from c:/opscode/chefdk/embedded/apps/chef-dk/lib/chef-dk/chef_runner.rb:36:in `converge'
        from c:/opscode/chefdk/embedded/apps/chef-dk/lib/chef-dk/command/generator_commands.rb:207:in `run'
        from c:/opscode/chefdk/embedded/apps/chef-dk/lib/chef-dk/command/generate.rb:71:in `run'
        from c:/opscode/chefdk/embedded/apps/chef-dk/lib/chef-dk/command/base.rb:57:in `run_with_default_options'
        from c:/opscode/chefdk/embedded/apps/chef-dk/lib/chef-dk/cli.rb:66:in `run'
        from c:/opscode/chefdk/embedded/apps/chef-dk/bin/chef:25:in `<top (required)>'
        from C:/opscode/chefdk/bin/chef:52:in `load'
        from C:/opscode/chefdk/bin/chef:52:in `<main>'

C:\Dev>icacls c:\Dev\chefdkTest
c:\Dev\chefdkTest BUILTIN\Administrators:(I)(F)
                  BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                  NT AUTHORITY\SYSTEM:(I)(F)
                  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                  BUILTIN\Users:(I)(OI)(CI)(RX)
                  NT AUTHORITY\Authenticated Users:(I)(M)
                  NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

Successfully processed 1 files; Failed processing 0 files

Running as administrator is successful. This is fine for me at home. At work I'm not sure if that would be an option...

[jasonberanek]

@sersut error seems appropriate looking at the code you referenced. If you look at the definition of the dst_so.security_descriptor(true) here, you'll see that the true in the original call means the function attempts to elevate privileges to retrieve the SACL (not just the DACL). Per the documentation I can find, these privileges, SeSecurityPrivilege, require a user account to have the Manage Auditing and Security Log right, which appears to normally be reserved to the Administrator account or elevated privilege mode on Windows. (see http://technet.microsoft.com/en-us/library/cc957161.aspx).

Assuming chef-client or chef-apply aren't expected to run or apply templates when not running as Administrator, then this behavior is sane for chef. If its expected to run without those privileges, then Chef (the tool) would need to do something like call dst_so.security_descriptor(false) if the first instance results in an error, then propagate some other error if this remains.

[tknerr]

@sersut @jasonberanek no clue about the windows ACLs, but this is what icacls shows:

D:\Repos\_slides\ChefVagrantWorkshop\Excercises\10-chef-solo-with-vagrant\solution\foo>icacls .
. BUILTIN\Administrators:(I)(F)
  BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
  NT AUTHORITY\SYSTEM:(I)(F)
  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
  NT AUTHORITY\Authenticated Users:(I)(M)
  NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
  BUILTIN\Users:(I)(RX)
  BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

[jasonberanek]

@sersut confirmed the behavior described and error message on Windows 7 (attached to corporate network) and Windows 8 (default installation in a VM) environments. Default settings for "User Access Policy", which enforces explicit acknowledgement when elevating privileges to execute an protected actions, result in the command failing by default for any user other than Administrator. Users in the Administrators group have to open their console application (e.g., cmd.exe) as Administrator in order to avoid the errors. This requires finding the console application in the start menu, and knowing that you can Shift-Right Click to select running that application as Administrator.

I personally don't have a push to get this fixed, just trying to provide information. Understand that addressing this requires either modifying the way the chef command works, or updating the chef project's Windows file handling code (which may not make sense for that project).

[ThomWright]

I also experienced this issue. Even chef verify fails unless running in an administrator command prompt.

If this is going to take a while to fix, would it be possible to:

1. clearly document the need for administrator rights, and
2. improve the error message to succinctly explain the problem and how to fix it. Currently the relevant information is buried.

I assume these changes are easier to make than the fix, and would definitely make the experience more 'delightful' in the meantime :)

[btm]

I'm looking into fixing the underlying way that we access the files, but the error message seems pretty good to me in the interim:

Missing Windows Admin Privileges
    --------------------------------
    chef-client doesn't have administrator privileges. This can be a possible reason for the resource failure.

[jasonberanek]

@btm As @ThomWright said, I'd recommend something in the Chef-DK documentation that specifies this is as a known issue. When I first went to test this, I didn't expect the chef command to use chef-client to generate text files, and I don't think it would be clear what is going on for a novice user downloading and using the Windows distribution of Chef-DK for the first time.

[btm]

# reproduces the error with chef-apply sans administrator permissions
template "templates\\regular" do
  source "template.erb"
  local true
end

# works
template "templates\\atomic" do
  source "template.erb"
  local true
  atomic_update false
end