我有一个TeamCity项目,它构建二进制文件,将一本食谱上传到Chef Server,并使用
Windows PowerShell会话远程汇聚节点.
$s = New-PSSession -ComputerName $nd -Credential $cred
$result = Invoke-Command -Session $s -ScriptBlock {
Cd c:\chef
chef-client --once -L client.%build.number%.log
return $LastExitCode
}
Remove-PSSession $s
一切正常,直到……
我需要在不同的凭据下执行一些二进制文件:
shell = Mixlib::ShellOut.new(cmd,:user => username,:domain => domain,:password => password) shell.run_command shell.error!
然后我收到以下错误:
[2015-08-06T14:17:13+02:00] DEBUG: Re-raising exception: Errno::NOERROR - idm_is3cli[configure_clients_and_scopes] (idm::is3cli line 30) had an error: Errno::NOERROR: No error - CreateProcessAsUserW (You must hold the 'Replace a process level token' permission)
C:/opscode/chef/embedded/lib/ruby/gems/2.0.0/gems/mixlib-shellout-2.1.0-universal-mingw32/lib/mixlib/shellout/windows/core_ext.rb:310:in `create'
C:/opscode/chef/embedded/lib/ruby/gems/2.0.0/gems/mixlib-shellout-2.1.0-universal-mingw32/lib/mixlib/shellout/windows.rb:86:in `run_command'
C:/opscode/chef/embedded/lib/ruby/gems/2.0.0/gems/mixlib-shellout-2.1.0-universal-mingw32/lib/mixlib/shellout.rb:259:in `run_command'
c:/chef/cache/cookbooks/idm/providers/is3cli.rb:23:in `block in class_from_file'
C:/opscode/chef/embedded/apps/chef/lib/chef/provider/lwrp_base.rb:160:in `instance_eval'
C:/opscode/chef/embedded/apps/chef/lib/chef/provider/lwrp_base.rb:160:in `block in action'
C:/opscode/chef/embedded/apps/chef/lib/chef/provider.rb:144:in `run_action'
C:/opscode/chef/embedded/apps/chef/lib/chef/resource.rb:586:in `run_action'
C:/opscode/chef/embedded/apps/chef/lib/chef/runner.rb:49:in `run_action'
C:/opscode/chef/embedded/apps/chef/lib/chef/runner.rb:81:in `block (2 levels) in converge'
C:/opscode/chef/embedded/apps/chef/lib/chef/runner.rb:81:in `each'
C:/opscode/chef/embedded/apps/chef/lib/chef/runner.rb:81:in `block in converge'
C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/resource_list.rb:83:in `block in execute_each_resource'
C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/stepable_iterator.rb:116:in `call'
C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/stepable_iterator.rb:116:in `call_iterator_block'
C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/stepable_iterator.rb:85:in `step'
C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/stepable_iterator.rb:104:in `iterate'
C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/stepable_iterator.rb:55:in `each_with_index'
C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/resource_list.rb:81:in `execute_each_resource'
C:/opscode/chef/embedded/apps/chef/lib/chef/runner.rb:80:in `converge'
C:/opscode/chef/embedded/apps/chef/lib/chef/client.rb:654:in `block in converge'
C:/opscode/chef/embedded/apps/chef/lib/chef/client.rb:649:in `catch'
C:/opscode/chef/embedded/apps/chef/lib/chef/client.rb:649:in `converge'
C:/opscode/chef/embedded/apps/chef/lib/chef/client.rb:688:in `converge_and_save'
C:/opscode/chef/embedded/apps/chef/lib/chef/client.rb:269:in `run'
C:/opscode/chef/embedded/apps/chef/lib/chef/application.rb:252:in `run_with_graceful_exit_option'
C:/opscode/chef/embedded/apps/chef/lib/chef/application.rb:229:in `block in run_chef_client'
C:/opscode/chef/embedded/apps/chef/lib/chef/local_mode.rb:39:in `with_server_connectivity'
C:/opscode/chef/embedded/apps/chef/lib/chef/application.rb:212:in `run_chef_client'
C:/opscode/chef/embedded/apps/chef/lib/chef/application/client.rb:375:in `run_application'
C:/opscode/chef/embedded/apps/chef/lib/chef/application.rb:60:in `run'
C:/opscode/chef/embedded/apps/chef/bin/chef-client:26:in `<top (required)>'
C:/opscode/chef/bin/chef-client:65:in `load'
C:/opscode/chef/bin/chef-client:65:in `<main>'
有任何想法吗?谢谢.
解决方法
Looks like you have to update Group Policy on that machine to give that account the ability to replace a process level token:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights AssignmentDescription
Determines which user accounts can initiate a process to replace the default token associated with a launched subprocess.
This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.By default,only LocalSystem accounts have this privilege.
According to the MSDN documentation on privilege constants,这相当于SE_ASSIGNPRIMARYTOKEN_NAME / SeAssignPrimaryTokenPrivilege权限. Carbon PowerShell模块具有Grant-Privilege功能,您可以使用该功能从控制台授予此权限. (披露:我是Carbon的所有者/维护者.)
