knife-acl 1.0.3 → 1.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 7b20c4e70c404b3dfdc0238406b653168047c862
-  data.tar.gz: 34507d1236c7c0027dc4a774aa252ba0e3f4f34a
+SHA256:
+  metadata.gz: e4f68cadaee047256abe5aee79be1d498308446f3cd12df183c86729aee34658
+  data.tar.gz: 8dad7041ab472cc69b3f631837738806a9166cd606626e094bd0f0c910bdd209
 SHA512:
-  metadata.gz: 0135c44d7e10b6f1614f3f7f00d0dd711f97707ce6f1b69eed057ad7f50e60c4dc5e1e288903ad8e44f060d8660224c58d7e9ab908d0060be0b03be4de524f52
-  data.tar.gz: b77b9b865d6291356250578edb2c0899d1c57160c3ccab25322dcb6266eea45a030a317fd7961df6770bef2867e77aa47abf6f9e15ebdcc58b8b75eeda9bf984
+  metadata.gz: 4d1b1e3fe36d8e5dad61679f3e7843cce5d834e5fbed4d5b232b927fc467fd8e072e9c843535044c581286f44f8ef5404f4e23554882281ebf5fe7baa43064ee
+  data.tar.gz: aae13368d33a38e9b3806ae9f60b1dcf67be8bb1d728ea9398573cd3b73252d2004a9d0a0a3ba9c9a0976f152d1bd5c331d0f9a97ad180eeb42b1614e4b411c8

data/lib/chef/knife/acl_add.rb

@@ -23,7 +23,7 @@ module OpscodeAcl
     banner "knife acl add MEMBER_TYPE MEMBER_NAME OBJECT_TYPE OBJECT_NAME PERMS"
 
     deps do
-      require 'chef/knife/acl_base'
+      require_relative "acl_base"
       include OpscodeAcl::AclBase
     end
 
@@ -36,7 +36,7 @@ module OpscodeAcl
         exit 1
       end
 
-      unless %w(client group).include?(member_type)
+      unless %w{client group}.include?(member_type)
         ui.fatal "ERROR: To enforce best practice, knife-acl can only add a client or a group to an ACL."
         ui.fatal "       See the knife-acl README for more information."
         exit 1

data/lib/chef/knife/acl_base.rb

@@ -20,28 +20,28 @@
 module OpscodeAcl
   module AclBase
 
-    PERM_TYPES = %w(create read update delete grant) unless defined? PERM_TYPES
-    MEMBER_TYPES = %w(client group user) unless defined? MEMBER_TYPES
-    OBJECT_TYPES = %w(clients containers cookbooks data environments groups nodes roles policies policy_groups) unless defined? OBJECT_TYPES
-    OBJECT_NAME_SPEC = /^[\-[:alnum:]_\.]+$/ unless defined? OBJECT_NAME_SPEC
+    PERM_TYPES = %w{create read update delete grant}.freeze unless defined? PERM_TYPES
+    MEMBER_TYPES = %w{client group user}.freeze unless defined? MEMBER_TYPES
+    OBJECT_TYPES = %w{clients containers cookbooks data environments groups nodes roles policies policy_groups}.freeze unless defined? OBJECT_TYPES
+    OBJECT_NAME_SPEC = /^[\-[:alnum:]_\.]+$/.freeze unless defined? OBJECT_NAME_SPEC
 
     def validate_object_type!(type)
-      if ! OBJECT_TYPES.include?(type)
-        ui.fatal "Unknown object type \"#{type}\".  The following types are permitted: #{OBJECT_TYPES.join(', ')}"
+      unless OBJECT_TYPES.include?(type)
+        ui.fatal "Unknown object type \"#{type}\".  The following types are permitted: #{OBJECT_TYPES.join(", ")}"
         exit 1
       end
     end
 
     def validate_object_name!(name)
-      if ! OBJECT_NAME_SPEC.match(name)
+      unless OBJECT_NAME_SPEC.match(name)
         ui.fatal "Invalid name: #{name}"
         exit 1
       end
     end
 
     def validate_member_type!(type)
-      if ! MEMBER_TYPES.include?(type)
-        ui.fatal "Unknown member type \"#{type}\". The following types are permitted: #{MEMBER_TYPES.join(', ')}"
+      unless MEMBER_TYPES.include?(type)
+        ui.fatal "Unknown member type \"#{type}\". The following types are permitted: #{MEMBER_TYPES.join(", ")}"
         exit 1
       end
     end
@@ -52,24 +52,22 @@ module OpscodeAcl
     end
 
     def validate_perm_type!(perms)
-      perms.split(',').each do |perm|
-        if ! PERM_TYPES.include?(perm)
-          ui.fatal "Invalid permission \"#{perm}\". The following permissions are permitted: #{PERM_TYPES.join(',')}"
+      perms.split(",").each do |perm|
+        unless PERM_TYPES.include?(perm)
+          ui.fatal "Invalid permission \"#{perm}\". The following permissions are permitted: #{PERM_TYPES.join(",")}"
           exit 1
         end
       end
     end
 
     def validate_member_exists!(member_type, member_name)
-      begin
-        true if rest.get_rest("#{member_type}s/#{member_name}")
-      rescue NameError
-        # ignore "NameError: uninitialized constant Chef::ApiClient" when finding a client
-        true
-      rescue
-        ui.fatal "#{member_type} '#{member_name}' does not exist"
-        exit 1
-      end
+      true if rest.get_rest("#{member_type}s/#{member_name}")
+    rescue NameError
+      # ignore "NameError: uninitialized constant Chef::ApiClient" when finding a client
+      true
+    rescue
+      ui.fatal "#{member_type} '#{member_name}' does not exist"
+      exit 1
     end
 
     def is_usag?(gname)
@@ -86,7 +84,7 @@ module OpscodeAcl
 
     def add_to_acl!(member_type, member_name, object_type, object_name, perms)
       acl = get_acl(object_type, object_name)
-      perms.split(',').each do |perm|
+      perms.split(",").each do |perm|
         ui.msg "Adding '#{member_name}' to '#{perm}' ACE of '#{object_name}'"
         ace = acl[perm]
 
@@ -99,12 +97,14 @@ module OpscodeAcl
           # Older version of chef-server will continue to use 'actors' for a combined list
           # and expect the same in the body.
           key = "#{member_type}s"
-          key = 'actors' unless ace.has_key? key
+          key = "actors" unless ace.key? key
           next if ace[key].include?(member_name)
+
           ace[key] << member_name
         when "group"
-          next if ace['groups'].include?(member_name)
-          ace['groups'] << member_name
+          next if ace["groups"].include?(member_name)
+
+          ace["groups"] << member_name
         end
 
         update_ace!(object_type, object_name, perm, ace)
@@ -113,19 +113,21 @@ module OpscodeAcl
 
     def remove_from_acl!(member_type, member_name, object_type, object_name, perms)
       acl = get_acl(object_type, object_name)
-      perms.split(',').each do |perm|
+      perms.split(",").each do |perm|
         ui.msg "Removing '#{member_name}' from '#{perm}' ACE of '#{object_name}'"
         ace = acl[perm]
 
         case member_type
         when "client", "user"
           key = "#{member_type}s"
-          key = 'actors' unless ace.has_key? key
+          key = "actors" unless ace.key? key
           next unless ace[key].include?(member_name)
+
           ace[key].delete(member_name)
         when "group"
-          next unless ace['groups'].include?(member_name)
-          ace['groups'].delete(member_name)
+          next unless ace["groups"].include?(member_name)
+
+          ace["groups"].delete(member_name)
         end
 
         update_ace!(object_type, object_name, perm, ace)
@@ -140,7 +142,7 @@ module OpscodeAcl
       validate_member_exists!(member_type, member_name)
       existing_group = rest.get_rest("groups/#{group_name}")
       ui.msg "Adding '#{member_name}' to '#{group_name}' group"
-      if !existing_group["#{member_type}s"].include?(member_name)
+      unless existing_group["#{member_type}s"].include?(member_name)
         existing_group["#{member_type}s"] << member_name
         new_group = {
           "groupname" => existing_group["groupname"],
@@ -148,8 +150,8 @@ module OpscodeAcl
           "actors" => {
             "users" => existing_group["users"],
             "clients" => existing_group["clients"],
-            "groups" => existing_group["groups"]
-          }
+            "groups" => existing_group["groups"],
+          },
         }
         rest.put_rest("groups/#{group_name}", new_group)
       end
@@ -167,8 +169,8 @@ module OpscodeAcl
           "actors" => {
             "users" => existing_group["users"],
             "clients" => existing_group["clients"],
-            "groups" => existing_group["groups"]
-          }
+            "groups" => existing_group["groups"],
+          },
         }
         rest.put_rest("groups/#{group_name}", new_group)
       end

data/lib/chef/knife/acl_bulk_add.rb

@@ -22,7 +22,7 @@ module OpscodeAcl
     banner "knife acl bulk add MEMBER_TYPE MEMBER_NAME OBJECT_TYPE REGEX PERMS"
 
     deps do
-      require 'chef/knife/acl_base'
+      require_relative "acl_base"
       include OpscodeAcl::AclBase
     end
 
@@ -36,7 +36,7 @@ module OpscodeAcl
         exit 1
       end
 
-      unless %w(client group).include?(member_type)
+      unless %w{client group}.include?(member_type)
         ui.fatal "ERROR: To enforce best practice, knife-acl can only add a client or a group to an ACL."
         ui.fatal "       See the knife-acl README for more information."
         exit 1
@@ -46,7 +46,7 @@ module OpscodeAcl
       validate_object_type!(object_type)
       validate_member_exists!(member_type, member_name)
 
-      if %w(containers groups).include?(object_type)
+      if %w{containers groups}.include?(object_type)
         ui.fatal "bulk modifying the ACL of #{object_type} is not permitted"
         exit 1
       end

data/lib/chef/knife/acl_bulk_remove.rb

@@ -22,7 +22,7 @@ module OpscodeAcl
     banner "knife acl bulk remove MEMBER_TYPE MEMBER_NAME OBJECT_TYPE REGEX PERMS"
 
     deps do
-      require 'chef/knife/acl_base'
+      require_relative "acl_base"
       include OpscodeAcl::AclBase
     end
 
@@ -36,11 +36,11 @@ module OpscodeAcl
         exit 1
       end
 
-      if member_name == 'pivotal' && %w(client user).include?(member_type)
+      if member_name == "pivotal" && %w{client user}.include?(member_type)
         ui.fatal "ERROR: 'pivotal' is a system user so knife-acl will not remove it from an ACL."
         exit 1
       end
-      if member_name == 'admins' && member_type == 'group' && perms.to_s.split(',').include?('grant')
+      if member_name == "admins" && member_type == "group" && perms.to_s.split(",").include?("grant")
         ui.fatal "ERROR: knife-acl will not remove the 'admins' group from the 'grant' ACE."
         ui.fatal "       Removal could prevent future attempts to modify permissions."
         exit 1
@@ -51,7 +51,7 @@ module OpscodeAcl
       validate_object_type!(object_type)
       validate_member_exists!(member_type, member_name)
 
-      if %w(containers groups).include?(object_type)
+      if %w{containers groups}.include?(object_type)
         ui.fatal "bulk modifying the ACL of #{object_type} is not permitted"
         exit 1
       end

data/lib/chef/knife/acl_remove.rb

@@ -23,7 +23,7 @@ module OpscodeAcl
     banner "knife acl remove MEMBER_TYPE MEMBER_NAME OBJECT_TYPE OBJECT_NAME PERMS"
 
     deps do
-      require 'chef/knife/acl_base'
+      require_relative "acl_base"
       include OpscodeAcl::AclBase
     end
 
@@ -36,11 +36,11 @@ module OpscodeAcl
         exit 1
       end
 
-      if member_name == 'pivotal' && %w(client user).include?(member_type)
+      if member_name == "pivotal" && %w{client user}.include?(member_type)
         ui.fatal "ERROR: 'pivotal' is a system user so knife-acl will not remove it from an ACL."
         exit 1
       end
-      if member_name == 'admins' && member_type == 'group' && perms.to_s.split(',').include?('grant')
+      if member_name == "admins" && member_type == "group" && perms.to_s.split(",").include?("grant")
         ui.fatal "ERROR: knife-acl will not remove the 'admins' group from the 'grant' ACE."
         ui.fatal "       Removal could prevent future attempts to modify permissions."
         exit 1

data/lib/chef/knife/acl_show.rb

@@ -22,7 +22,7 @@ module OpscodeAcl
     banner "knife acl show OBJECT_TYPE OBJECT_NAME"
 
     deps do
-      require 'chef/knife/acl_base'
+      require_relative "acl_base"
       include OpscodeAcl::AclBase
     end
 
@@ -42,8 +42,8 @@ module OpscodeAcl
         # Filter out the actors field if we have
         # users and clients.  Note that if one is present,
         # both will be - but we're checking both for completeness.
-        if acl[perm].has_key?('users') && acl[perm].has_key?('clients')
-          acl[perm].delete 'actors'
+        if acl[perm].key?("users") && acl[perm].key?("clients")
+          acl[perm].delete "actors"
         end
       end
       ui.output acl

data/lib/chef/knife/group_add.rb

@@ -23,7 +23,7 @@ module OpscodeAcl
     banner "knife group add MEMBER_TYPE MEMBER_NAME GROUP_NAME"
 
     deps do
-      require 'chef/knife/acl_base'
+      require_relative "acl_base"
       include OpscodeAcl::AclBase
     end
 

data/lib/chef/knife/group_create.rb

@@ -23,7 +23,7 @@ module OpscodeAcl
     banner "knife group create GROUP_NAME"
 
     deps do
-      require 'chef/knife/acl_base'
+      require_relative "acl_base"
       include OpscodeAcl::AclBase
     end
 
@@ -39,7 +39,7 @@ module OpscodeAcl
       validate_member_name!(group_name)
 
       ui.msg "Creating '#{group_name}' group"
-      rest.post_rest("groups", {:groupname => group_name})
+      rest.post_rest("groups", { groupname: group_name })
     end
   end
 end

data/lib/chef/knife/group_destroy.rb

@@ -23,7 +23,7 @@ module OpscodeAcl
     banner "knife group destroy GROUP_NAME"
 
     deps do
-      require 'chef/knife/acl_base'
+      require_relative "acl_base"
       include OpscodeAcl::AclBase
     end
 
@@ -38,7 +38,7 @@ module OpscodeAcl
 
       validate_member_name!(group_name)
 
-      if %w(admins billing-admins clients users).include?(group_name.downcase)
+      if %w{admins billing-admins clients users}.include?(group_name.downcase)
         ui.fatal "the '#{group_name}' group is a special group that should not be destroyed"
         exit 1
       end

data/lib/chef/knife/group_list.rb

@@ -23,7 +23,7 @@ module OpscodeAcl
     banner "knife group list"
 
     deps do
-      require 'chef/knife/acl_base'
+      require_relative "acl_base"
       include OpscodeAcl::AclBase
     end
 

data/lib/chef/knife/group_remove.rb

@@ -23,7 +23,7 @@ module OpscodeAcl
     banner "knife group remove MEMBER_TYPE MEMBER_NAME GROUP_NAME"
 
     deps do
-      require 'chef/knife/acl_base'
+      require_relative "acl_base"
       include OpscodeAcl::AclBase
     end
 

data/lib/chef/knife/group_show.rb

@@ -23,7 +23,7 @@ module OpscodeAcl
     banner "knife group show GROUP_NAME"
 
     deps do
-      require 'chef/knife/acl_base'
+      require_relative "acl_base"
       include OpscodeAcl::AclBase
     end
 

data/lib/chef/knife/user_dissociate.rb

@@ -19,7 +19,7 @@
 module OpscodeAcl
   class UserDissociate < Chef::Knife
     category "OPSCODE HOSTED CHEF ACCESS CONTROL"
-    banner 'knife user dissociate USERNAMES'
+    banner "knife user dissociate USERNAMES"
 
     def run
       if name_args.length < 1
@@ -28,7 +28,7 @@ module OpscodeAcl
         exit 1
       end
       users = name_args
-      ui.confirm("Are you sure you want to dissociate the following users: #{users.join(', ')}")
+      ui.confirm("Are you sure you want to dissociate the following users: #{users.join(", ")}")
       users.each do |u|
         api_endpoint = "users/#{u}"
         rest.delete_rest(api_endpoint)

data/lib/chef/knife/user_invite_add.rb

@@ -19,10 +19,9 @@
 module OpscodeAcl
   class UserInviteAdd < Chef::Knife
     category "OPSCODE HOSTED CHEF ACCESS CONTROL"
-    banner 'knife user invite add USERNAMES'
+    banner "knife user invite add USERNAMES"
 
     def run
-
       if name_args.length < 1
         show_usage
         ui.fatal("You must specify a username.")
@@ -32,7 +31,7 @@ module OpscodeAcl
       users = name_args
       api_endpoint = "association_requests/"
       users.each do |u|
-        body = {:user => u}
+        body = { user: u }
         rest.post_rest(api_endpoint, body)
       end
     end

data/lib/chef/knife/user_invite_list.rb

@@ -19,11 +19,11 @@
 module OpscodeAcl
   class UserInviteList < Chef::Knife
     category "OPSCODE HOSTED CHEF ACCESS CONTROL"
-    banner 'knife user invite list'
+    banner "knife user invite list"
 
     def run
       api_endpoint = "association_requests/"
-      invited_users = rest.get_rest(api_endpoint).map { |i| i['username'] }
+      invited_users = rest.get_rest(api_endpoint).map { |i| i["username"] }
       ui.output(invited_users)
     end
   end

data/lib/chef/knife/user_invite_recind.rb

@@ -18,16 +18,16 @@
 
 module OpscodeAcl
   class UserInviteRecind < Chef::Knife
-    banner 'knife user invite recind [USERNAMES] (options)'
+    banner "knife user invite recind [USERNAMES] (options)"
     category "OPSCODE HOSTED CHEF ACCESS CONTROL"
 
     option :all,
-    :short => "-a",
-    :long => "--all",
-    :description => "Recind all invites!"
+      short: "-a",
+      long: "--all",
+      description: "Recind all invites!"
 
     def run
-      if name_args.length < 1 and ! config.has_key?(:all)
+      if (name_args.length < 1) && ! config.key?(:all)
         show_usage
         ui.fatal("You must specify a username.")
         exit 1
@@ -35,18 +35,18 @@ module OpscodeAcl
 
       # To recind we need to send a DELETE to association_requests/INVITE_ID
       # For user friendliness we look up the invite ID based on username.
-      @invites = Hash.new
+      @invites = {}
       usernames = name_args
-      rest.get_rest("association_requests").each { |i| @invites[i['username']] = i['id'] }
+      rest.get_rest("association_requests").each { |i| @invites[i["username"]] = i["id"] }
       if config[:all]
         ui.confirm("Are you sure you want to recind all association requests")
-        @invites.each do |u,i|
+        @invites.each do |u, i|
           rest.delete_rest("association_requests/#{i}")
         end
       else
-        ui.confirm("Are you sure you want to recind the association requests for: #{usernames.join(', ')}")
+        ui.confirm("Are you sure you want to recind the association requests for: #{usernames.join(", ")}")
         usernames.each do |u|
-          if @invites.has_key?(u)
+          if @invites.key?(u)
             rest.delete_rest("association_requests/#{@invites[u]}")
           else
             ui.fatal("No association request for #{u}.")

data/lib/chef/knife/user_list.rb

@@ -23,7 +23,7 @@ module OpscodeAcl
     banner "knife user list"
 
     deps do
-      require 'pp'
+      require "pp"
     end
 
     def run
@@ -32,4 +32,3 @@ module OpscodeAcl
     end
   end
 end
-

data/lib/chef/knife/user_show.rb

@@ -19,16 +19,16 @@
 module OpscodeAcl
   class UserShow < Chef::Knife
     category "OPSCODE HOSTED CHEF ACCESS CONTROL"
-    banner 'knife user show [USERNAME]'
+    banner "knife user show [USERNAME]"
 
     # ui.format_for_display has logic to handle displaying
     # any attributes set in the config[:attribute] Array.
     attrs_to_show = []
     option :attribute,
-    :short => "-a [ATTR]",
-    :long => "--attribute [ATTR]",
-    :proc => lambda {|val| attrs_to_show << val},
-    :description => "Show attribute ATTR. Use multiple times to show multiple attributes."
+      short: "-a [ATTR]",
+      long: "--attribute [ATTR]",
+      proc: lambda { |val| attrs_to_show << val },
+      description: "Show attribute ATTR. Use multiple times to show multiple attributes."
 
     def run
       if name_args.length < 1

data/lib/knife-acl/version.rb

@@ -1,3 +1,3 @@
 module KnifeACL
-  VERSION = "1.0.3"
+  VERSION = "1.0.6".freeze
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: knife-acl
 version: !ruby/object:Gem::Version
-  version: 1.0.3
+  version: 1.0.6
 platform: ruby
 authors:
 - Seth Falcon
@@ -9,18 +9,16 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-09-01 00:00:00.000000000 Z
+date: 2019-12-30 00:00:00.000000000 Z
 dependencies: []
 description: Knife plugin to manupulate Chef server access control lists
 email: support@chef.io
 executables: []
 extensions: []
 extra_rdoc_files:
-- README.md
 - LICENSE
 files:
 - LICENSE
-- README.md
 - lib/chef/knife/acl_add.rb
 - lib/chef/knife/acl_base.rb
 - lib/chef/knife/acl_bulk_add.rb
@@ -58,8 +56,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.6
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Knife plugin to manupulate Chef server access control lists

data/README.md

@@ -1,463 +0,0 @@
-# knife-acl
-
-## Description
-
-This is a Chef Software, Inc.-supported knife plugin which provides some user/group
-ACL operations for Chef server.
-
-All commands assume a working knife configuration for an admin user of a Chef organization.
-
-Reference:
-
-1. [Chef Server Permissions PDF](https://github.com/chef/chef-server/blob/master/doc/ChefServerPermissions_v1.3.pdf)
-2. [Chef Server Permissions Docs](https://docs.chef.io/server/server_orgs.html#permissions)
-3. [Chef Server Groups Docs](https://docs.chef.io/server/server_orgs.html#groups)
-
-### Installation
-
-Install into [Chef DK](https://downloads.chef.io/chef-dk/).
-
-    chef gem install knife-acl
-
-### _Warning about Users group_
-
-The "Users" group is a special group and should not be managed with knife-acl.
-As such, knife-acl will give an error if either `knife acl group add user users USER`
-or `knife acl group remove user users USER` are run.
-
-### Chef Server Roles Based Access Control (RBAC) Summary
-
-In the context of the Chef Server's API a container is just the API endpoint used
-when creating a new object of a particular object type.
-
-For example, the container for creating client objects is called `clients` and
-the container for creating node objects is called `nodes`.
-
-Two containers are used when creating (uploading) cookbooks.
-The `cookbooks` and `sandboxes` containers.
-
-Here is a full list of the containers in a Chef Server.
-
-- clients
-- cookbooks
-- data
-- environments
-- groups
-- nodes
-- policies
-- policy_groups
-- roles
-- sandboxes
-
-The permissions assigned to a container are inherited by the objects
-that the container creates. When a permission is changed on a container
-that change will only affect new objects. The change does not propagate to
-existing objects.
-
-For reference and restoral purposes the
-[Default Permissions for Containers](#default-permissions-for-containers) section
-of this document contains `knife-acl` commands that will set the default
-permissions for the admins, clients and users groups on all containers.
-These can be helpful if you need to restore container permissions back to their
-default values.
-
-#### Permissions Management Best Practice
-
-The best practice for managing permissions is to only add clients and groups to an objects' permissions.
-
-Adding a user to an objects' permissions is possible by first adding the group to the permissions and
-then adding the user to the group. This is much easier to maintain when compared to adding
-individual users to each objects' permissions.
-
-To enforce this the `knife acl add` and `knife acl bulk add` commands can only add a client or a group
-to an objects' permissions.
-
-If a group ever needs to be removed from the permissions of all objects the group can simply
-be deleted.
-
-#### Setup Default Read-Only Access for Non-admin Users
-
-The "Users" group by default provides regular (non-admin) users a lot of access to modify objects in
-the Chef Server.
-
-Removing the "Users" group from the "create", "update", "delete" and "grant" Access Control Entries (ACEs)
-of all objects and containers will create a default read-only access for non-admin users.
-
-To completely prevent non-admin users from accessing all objects and containers then also remove the
-"Users" group from the "read" ACE.
-
-Admin users will still have default admin access to all objects and containers.
-
-**NOTE:** Please note that currently the Chef Manage web UI will appear to allow read-only users to edit
-some objects. However, the changes are not actually saved and they disappear when the read-only
-user refreshes the page.
-
-```
-knife acl remove group users containers clients create,update,delete,grant
-knife acl bulk remove group users clients '.*' create,update,delete,grant
-
-
-knife acl remove group users containers sandboxes create,update,delete,grant
-knife acl remove group users containers cookbooks create,update,delete,grant
-knife acl bulk remove group users cookbooks '.*' create,update,delete,grant
-
-
-knife acl remove group users containers data create,update,delete,grant
-knife acl bulk remove group users data '.*' create,update,delete,grant
-
-
-knife acl remove group users containers environments create,update,delete,grant
-knife acl bulk remove group users environments '.*' create,update,delete,grant
-
-
-knife acl remove group users containers nodes create,update,delete,grant
-knife acl bulk remove group users nodes '.*' create,update,delete,grant
-
-
-knife acl remove group users containers policies create,update,delete,grant
-knife acl bulk remove group users policies '.*' create,update,delete,grant
-
-
-knife acl remove group users containers policy_groups create,update,delete,grant
-knife acl bulk remove group users policy_groups '.*' create,update,delete,grant
-
-
-knife acl remove group users containers roles create,update,delete,grant
-knife acl bulk remove group users roles '.*' create,update,delete,grant
-```
-
-#### Selectively Allow Access
-
-You can also create a new group and manage its members with knife-acl or the Manage web interface.
-
-Then add this group to the ACEs of all appropriate containers and/or objects according to your requirements.
-
-#### Create read-only group with read only access
-
-The following set of commands creates a group named `read-only` and
-gives it `read` access on all objects.
-
-```
-knife group create read-only
-
-
-knife acl add group read-only containers clients read
-knife acl bulk add group read-only clients '.*' read
-
-
-knife acl add group read-only containers sandboxes read
-knife acl add group read-only containers cookbooks read
-knife acl bulk add group read-only cookbooks '.*' read
-
-
-knife acl add group read-only containers data read
-knife acl bulk add group read-only data '.*' read
-
-
-knife acl add group read-only containers environments read
-knife acl bulk add group read-only environments '.*' read
-
-
-knife acl add group read-only containers nodes read
-knife acl bulk add group read-only nodes '.*' read
-
-
-knife acl add group read-only containers policies read
-knife acl bulk add group read-only policies '.*' read
-
-
-knife acl add group read-only containers policy_groups read
-knife acl bulk add group read-only policy_groups '.*' read
-
-
-knife acl add group read-only containers roles read
-knife acl bulk add group read-only roles '.*' read
-```
-
-# Subcommands
-
-## knife user list
-
-Show a list of users associated with your organization
-
-## knife group list
-
-List groups in the organization.
-
-## knife group create GROUP_NAME
-
-Create a new group `GROUP_NAME` to the organization.
-
-## knife group show GROUP_NAME
-
-Show the membership details for `GROUP_NAME`.
-
-## knife group add MEMBER_TYPE MEMBER_NAME GROUP_NAME
-
-Add MEMBER_NAME to `GROUP_NAME`.
-
-Valid `MEMBER_TYPE` values are
-
-- client
-- group
-- user
-
-## knife group remove MEMBER_TYPE MEMBER_NAME GROUP_NAME
-
-Remove `MEMBER_NAME` from `GROUP_NAME`.
-
-See the `knife group add` documentation above for valid `MEMBER_TYPE` values.
-
-## knife group destroy GROUP_NAME
-
-Removes group `GROUP_NAME` from the organization.  All members of the group
-(clients, groups and users) remain in the system, only `GROUP_NAME` is removed.
-
-The `admins`, `billing-admins`, `clients` and `users` groups are special groups
-so knife-acl will not allow them to be destroyed.
-
-## knife acl show OBJECT_TYPE OBJECT_NAME
-
-Shows the ACL for the specified object.  Objects are identified by the
-combination of their type and name.
-
-Valid `OBJECT_TYPE` values are
-
-- clients
-- containers
-- cookbooks
-- data
-- environments
-- groups
-- nodes
-- policies
-- policy_groups
-- roles
-
-For example, use the following command to obtain the ACL for a node
-named "web.example.com":
-
-    knife acl show nodes web.example.com
-
-## knife acl add MEMBER_TYPE MEMBER_NAME OBJECT_TYPE OBJECT_NAME PERMS
-
-The best practice is to only add clients and groups to ACLs. To enforce this best practice
-the `knife acl add` command is only able to add a client or a group to ACLs.
-
-Valid `MEMBER_TYPE` values are
-
-- client
-- group
-
-Add `MEMBER_NAME` to the `PERMS` access control entry of `OBJECT_NAME`.
-Objects are specified by the combination of their type and name.
-
-Valid `OBJECT_TYPE` values are
-
-- clients
-- containers
-- cookbooks
-- data
-- environments
-- groups
-- nodes
-- policies
-- policy_groups
-- roles
-
-Valid `PERMS` are:
-
-- create
-- read
-- update
-- delete
-- grant
-
-Multiple `PERMS` can be given in a single command by separating them
-with a comma with no extra spaces.
-
-For example, use the following command to give the superusers group
-the ability to delete and update the node called "web.example.com":
-
-    knife acl add group superusers nodes web.example.com delete,update
-
-## knife acl bulk add MEMBER_TYPE MEMBER_NAME OBJECT_TYPE REGEX PERMS
-
-The best practice is to only add clients and groups to ACLs. To enforce this best practice
-the `knife acl bulk add` command is only able to add a client or a group to ACLs.
-
-Valid `MEMBER_TYPE` values are
-
-- client
-- group
-
-Add `MEMBER_NAME` to the `PERMS` access control entry for each object in a
-set of objects of `OBJECT_TYPE`.
-
-The set of objects are specified by matching the objects' names with the
-given REGEX regular expression surrounded by quotes.
-
-See the `knife acl add` documentation above for valid `OBJECT_TYPE` and `PERMS` values.
-
-Appending `-y` or `--yes` to the `knife acl bulk add` command will run the command
-without any prompts for confirmation.
-
-For example, use the following command to give the superusers group the ability to
-delete and update all nodes matching the regular expression 'WIN-.*':
-
-    knife acl bulk add group superusers nodes 'WIN-.*' delete,update --yes
-
-## knife acl remove MEMBER_TYPE MEMBER_NAME OBJECT_TYPE OBJECT_NAME PERMS
-
-Remove `MEMBER_NAME` from the `PERMS` access control entry of `OBJECT_NAME`.
-Objects are specified by the combination of their type and name.
-
-Valid `MEMBER_TYPE` values are
-
-- client
-- group
-- user
-
-Valid `OBJECT_TYPE` values are
-
-- clients
-- containers
-- cookbooks
-- data
-- environments
-- groups
-- nodes
-- policies
-- policy_groups
-- roles
-
-Valid `PERMS` are:
-
-- create
-- read
-- update
-- delete
-- grant
-
-Multiple `PERMS` can be given in a single command by separating them
-with a comma with no extra spaces.
-
-For example, use the following command to remove the superusers group from the delete and
-update access control entries for the node called "web.example.com":
-
-    knife acl remove group superusers nodes web.example.com delete,update
-
-## knife acl bulk remove MEMBER_TYPE MEMBER_NAME OBJECT_TYPE REGEX PERMS
-
-Remove `MEMBER_NAME` from the `PERMS` access control entry for each object in a
-set of objects of `OBJECT_TYPE`.
-
-The set of objects are specified by matching the objects' names with the
-given REGEX regular expression surrounded by quotes.
-
-See the `knife acl remove` documentation above for valid `MEMBER_TYPE`, `OBJECT_TYPE` and `PERMS` values.
-
-Appending `-y` or `--yes` to the `knife acl bulk add` command will run the command
-without any prompts for confirmation.
-
-For example, use the following command to remove the superusers group from the delete and
-update access control entries for all nodes matching the regular expression 'WIN-.*':
-
-    knife acl bulk remove group superusers nodes 'WIN-.*' delete,update --yes
-
-## Default Permissions for Containers
-
-The following commands will set the default permissions for the
-admins, clients and users groups on all containers. These can
-be helpful if you need to restore container permissions back to their
-default values.
-
-```
-knife acl add group admins containers clients create,read,update,delete,grant
-knife acl remove group clients containers clients create,read,update,delete,grant
-knife acl add group users containers clients read,delete
-knife acl remove group users containers clients create,update,grant
-
-knife acl add group admins containers cookbook_artifacts create,read,update,delete,grant
-knife acl add group clients containers cookbook_artifacts read
-knife acl remove group clients containers cookbook_artifacts create,update,delete,grant
-knife acl add group users containers cookbook_artifacts create,read,update,delete
-knife acl remove group users containers cookbook_artifacts grant
-
-knife acl add group admins containers cookbooks create,read,update,delete,grant
-knife acl add group clients containers cookbooks read
-knife acl remove group clients containers cookbooks create,update,delete,grant
-knife acl add group users containers cookbooks create,read,update,delete
-knife acl remove group users containers cookbooks grant
-
-knife acl add group admins containers data create,read,update,delete,grant
-knife acl add group clients containers data read
-knife acl remove group clients containers data create,update,delete,grant
-knife acl add group users containers data create,read,update,delete
-knife acl remove group users containers data grant
-
-knife acl add group admins containers environments create,read,update,delete,grant
-knife acl add group clients containers environments read
-knife acl remove group clients containers environments create,update,delete,grant
-knife acl add group users containers environments create,read,update,delete
-knife acl remove group users containers environments grant
-
-knife acl add group admins containers groups create,read,update,delete,grant
-knife acl remove group clients containers groups create,read,update,delete,grant
-knife acl add group users containers groups read
-knife acl remove group users containers groups create,update,delete,grant
-
-knife acl add group admins containers nodes create,read,update,delete,grant
-knife acl add group clients containers nodes create,read
-knife acl remove group clients containers nodes update,delete,grant
-knife acl add group users containers nodes create,read,update,delete
-knife acl remove group users containers nodes grant
-
-knife acl add group admins containers policies create,read,update,delete,grant
-knife acl add group clients containers policies read
-knife acl remove group clients containers policies create,update,delete,grant
-knife acl add group users containers policies create,read,update,delete
-knife acl remove group users containers policies grant
-
-knife acl add group admins containers policy_groups create,read,update,delete,grant
-knife acl add group clients containers policy_groups read
-knife acl remove group clients containers policy_groups create,update,delete,grant
-knife acl add group users containers policy_groups create,read,update,delete
-knife acl remove group users containers policy_groups grant
-
-knife acl add group admins containers roles create,read,update,delete,grant
-knife acl add group clients containers roles read
-knife acl remove group clients containers roles create,update,delete,grant
-knife acl add group users containers roles create,read,update,delete
-knife acl remove group users containers roles grant
-
-knife acl add group admins containers sandboxes create,read,update,delete,grant
-knife acl remove group clients containers sandboxes create,read,update,delete,grant
-knife acl add group users containers sandboxes create
-knife acl remove group users containers sandboxes read,update,delete,grant
-```
-
-## LICENSE
-
-Unless otherwise specified all works in this repository are
-
-Copyright 2013-2016 Chef Software, Inc.
-
-|||
-| ------------- |-------------:|
-| Author      |Seth Falcon (seth@chef.io)|
-| Author      |Jeremiah Snapp (jeremiah@chef.io)|
-| Copyright  |Copyright (c) 2013-2015 Chef Software, Inc.|
-| License     |Apache License, Version 2.0|
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   [Apache 2.0](http://www.apache.org/licenses/LICENSE-2.0)
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.