Chef-server containers

Ohai chefs,

I’ve been reviewing the following document ChefServerPermissions_v1.3.pdfhttps://github.com/chef/chef-server/blob/master/doc/ChefServerPermissions_v1.3.pdf and have a few questions around the purpose of some chef objects (and their related containers) on the chef server.

The document lists all the default containers (which relate to chef objects) that exist today:

clients
containers
cookbooks
data
environments
groups
nodes
roles
sandboxes
policies
policy_groups
cookbook_artifacts

Most chef object seem pretty obvious but except for data, sandboxes, and cookbook_artifacts objects.

Is data object simply a data bag?
What are sandboxes and cookbook_artifacts objects? If an user only had read access to these type of objects what wouldn’t they be able to do when using knife commands?

-Phil

Philip Oliva
Senior Infrastructure Software Developer
BlackBerry Ltd.
"Fail quick, fail often, recover quickly"
http://ca.linkedin.com/pub/philip-oliva/67/74/10

On Wednesday, September 30, 2015 at 4:17 PM, Phil Oliva wrote:

Ohai chefs,

I’ve been reviewing the following document ChefServerPermissions_v1.3.pdf (https://github.com/chef/chef-server/blob/master/doc/ChefServerPermissions_v1.3.pdf) and have a few questions around the purpose of some chef objects (and their related containers) on the chef server.

The document lists all the default containers (which relate to chef objects) that exist today:

clients
containers
cookbooks
data
environments
groups
nodes
roles
sandboxes
policies
policy_groups
cookbook_artifacts

Most chef object seem pretty obvious but except for data, sandboxes, and cookbook_artifacts objects.

Is data object simply a data bag?

Yes

What are sandboxes and cookbook_artifacts objects? If an user only had read access to these type of objects what wouldn’t they be able to do when using knife commands?

Sandboxes keep track of state during cookbook uploads, since the actual files are uploaded to S3 or an S3-alike service (bookshelf).

Cookbook artifacts are cookbooks that are used by policyfiles. These are stored as a separate object type so we didn’t have to introduce any behavior changes to the existing cookbooks APIs.

-Phil

Philip Oliva
Senior Infrastructure Software Developer
BlackBerry Ltd.
“Fail quick, fail often, recover quickly”
http://ca.linkedin.com/pub/philip-oliva/67/74/10

--
Daniel DeLeo

Thanks Daniel.

So if a user has read, create, upload, and write permissions to 'cookbooks' objects but only read permissions to 'sandboxes' objects then user won't be able to upload cookbooks, correct?

-Phil

-----Original Message-----
From: Daniel DeLeo [mailto:ddeleo@kallistec.com] On Behalf Of Daniel DeLeo
Sent: Wednesday, September 30, 2015 7:47 PM
To: chef@lists.opscode.com
Subject: [chef] Re: chef-server containers

On Wednesday, September 30, 2015 at 4:17 PM, Phil Oliva wrote:

Ohai chefs,

I’ve been reviewing the following document ChefServerPermissions_v1.3.pdf (https://github.com/chef/chef-server/blob/master/doc/ChefServerPermissions_v1.3.pdf) and have a few questions around the purpose of some chef objects (and their related containers) on the chef server.

The document lists all the default containers (which relate to chef objects) that exist today:

clients
containers
cookbooks
data
environments
groups
nodes
roles
sandboxes
policies
policy_groups
cookbook_artifacts

Most chef object seem pretty obvious but except for data, sandboxes, and cookbook_artifacts objects.

Is data object simply a data bag?

Yes

What are sandboxes and cookbook_artifacts objects? If an user only had read access to these type of objects what wouldn’t they be able to do when using knife commands?

Sandboxes keep track of state during cookbook uploads, since the actual files are uploaded to S3 or an S3-alike service (bookshelf).

Cookbook artifacts are cookbooks that are used by policyfiles. These are stored as a separate object type so we didn’t have to introduce any behavior changes to the existing cookbooks APIs.

-Phil

Philip Oliva
Senior Infrastructure Software Developer BlackBerry Ltd.
“Fail quick, fail often, recover quickly”
http://ca.linkedin.com/pub/philip-oliva/67/74/10

--
Daniel DeLeo

On Wednesday, September 30, 2015 at 6:23 PM, Phil Oliva wrote:

Thanks Daniel.

So if a user has read, create, upload, and write permissions to 'cookbooks' objects but only read permissions to 'sandboxes' objects then user won't be able to upload cookbooks, correct?

-Phil

Looking at https://github.com/chef/chef/blob/master/lib/chef/cookbook_uploader.rb it looks like you need create and update on sandboxes. Otherwise I guess you could theoretically make a “new cookbook” out of existing files but you couldn’t upload any files that the server didn’t have.

--
Daniel DeLeo

How does one control the size of chef-client log files? I have an client
that I am running testing on - do not want to turn logging off. Is there a
way to specify the max size after which the program can recycle the old
content with the new?

Thank you.

regards,
-bhavna

Bhavna Agrawal

By any chance is it overflowing with handle_chunk messages like mine?

On Thu, Oct 1, 2015 at 12:48 PM, Bhavna Agrawal bhavna@us.ibm.com wrote:

How does one control the size of chef-client log files? I have an client
that I am running testing on - do not want to turn logging off. Is there a
way to specify the max size after which the program can recycle the old
content with the new?

Thank you.

regards,
-bhavna

Bhavna Agrawal