we have a successfully experimenting with chef-server + clients setup,
but still cannot figure out the permission settings.
The problem is that when you go to you http://chef-server.example.com:4000
within the browser and log in using OpenID (using any external
identity provider), you always get admin permissions.
We are running chef on a EC2 + external chef-server (+ monitoring etc)
hybrid network, without any VPN, and wanted to run chef-server on a
public interface.
From what I can see we could restrict access to the chef-server,
either by setting up a VPN network, or by limiting access in any other
way. But perhaps there is a better way? Is it documented?
You may wish to build 0.6.0 gems and roll that out.
Regards,
AJ
On 16/03/2009, at 9:27 PM, Michal Frackowiak wrote:
Hi,
we have a successfully experimenting with chef-server + clients
setup, but still cannot figure out the permission settings.
The problem is that when you go to you http://chef-server.example.com:4000
within the browser and log in using OpenID (using any external
identity provider), you always get admin permissions.
We are running chef on a EC2 + external chef-server (+ monitoring
etc) hybrid network, without any VPN, and wanted to run chef-server
on a public interface.
From what I can see we could restrict access to the chef-server,
either by setting up a VPN network, or by limiting access in any
other way. But perhaps there is a better way? Is it documented?
On Mon, 16 Mar 2009 21:34:58 +1300, AJ Christensen aj@junglist.gen.nz
wrote:
Hiya!
You could for a start reverse proxy into the chef-server and restrict
particular URL's with HTTP basic or otherwise authentication.
opscode/master currently has the functionality to restrict permissions
to specific openID's and specific openID relaying parties @
You may wish to build 0.6.0 gems and roll that out.
Regards,
AJ
On 16/03/2009, at 9:27 PM, Michal Frackowiak wrote:
Hi,
we have a successfully experimenting with chef-server + clients
setup, but still cannot figure out the permission settings.
The problem is that when you go to you http://chef-server.example.com:4000
within the browser and log in using OpenID (using any external
identity provider), you always get admin permissions.
We are running chef on a EC2 + external chef-server (+ monitoring
etc) hybrid network, without any VPN, and wanted to run chef-server
on a public interface.
From what I can see we could restrict access to the chef-server,
either by setting up a VPN network, or by limiting access in any
other way. But perhaps there is a better way? Is it documented?
This way you could have secure access without setting up VPN
configuration. And, you could safely run chef between networks. Would
this work with the OpenID authentication? (Would be nice to know
before this is not going to work before we actually start
experimenting).
Are there any reasons NOT to do this?
Thanks,
Michal
On Mar 16, 2009, at 3:16 PM, Aric Gardner wrote:
I meant to put up instructions for using apache's htaccess and
proxypass on
the opscode wiki.
As thats what I did.
Perhaps I'll do that today, I have my notes and such.
first enable mod proxy with a2enmod proxy
then edit proxy.conf as follows
#turning ProxyRequests on and allowing proxying from all may
allow
#spammers to use your proxy to send email.
ProxyRequests Off
ProxyVia Full
<Proxy 127.0.0.1:80>
# AddDefaultCharset off
Order deny,allow
Deny from all
Allow from localhost
</Proxy>
You may wish to build 0.6.0 gems and roll that out.
Regards,
AJ
On 16/03/2009, at 9:27 PM, Michal Frackowiak wrote:
Hi,
we have a successfully experimenting with chef-server + clients
setup, but still cannot figure out the permission settings.
The problem is that when you go to you http://chef-server.example.com:4000
within the browser and log in using OpenID (using any external
identity provider), you always get admin permissions.
We are running chef on a EC2 + external chef-server (+ monitoring
etc) hybrid network, without any VPN, and wanted to run chef-server
on a public interface.
From what I can see we could restrict access to the chef-server,
either by setting up a VPN network, or by limiting access in any
other way. But perhaps there is a better way? Is it documented?
Currently, the REST client in Chef does not support HTTP Basic auth.
I'm in the middle of refactoring Chef to use a rest-client, which will
enable this behavior. It'll be in the next Chef release.
Adam
--
Opscode, Inc.
Adam Jacob, CTO
T: (206) 508-4759 E: adam@opscode.com