While setting up the icinga2 chef cookbook for my own personal use (specifically around the pki-tickets generation for the icinga2 remote API,) I have spent a lot of time looking for a way to enable admin on a client, as the data bag documentation requires.
Altering data bags from the node when using the open source Chef server requires the node’s API client to be granted admin privileges. In most cases, this is not advisable.
However, I'm not able to set an admin client when I edit the json through knife client edit. I edit the json, changing "admin": true and save it. knife reports that it's updated, but a knife client show shows that admin is still false. Additionally, I find conflicting information in the knife client documentation.
With regards to the -a --admin option creating a client:
This option only works when used with the open source Chef server and will have no effect when used with Enterprise Chef or Chef server 12.x.
How do I enable edit/creation of databags/databag entries from a recipe?
You would use the Chef Server ACLs system: https://docs.chef.io/auth.html#authorization
You can either edit those via the Manage web UI or the knife-acl CLI.
Be aware of the security ramifications and general complexities of this approach before you proceed though.