Handling configuration data generated at package install time


#1

Hi All,

Summary:

I am performing some proof of concept testing to see how we can use
Chef, and configuration management in general, within at my workplace.
Initial results are very promising and, not only that, Chef is great
fun to work with. I can already see it eventually replacing a great
deal of fragile scripting.

My question is - can I allow node API clients to modify data bag items
in a particular data bag without giving them admin privileges?

Details:

This is regarding a package (Internet2’s Shibboleth Service Provider
[1]) that we currently install in the following way for a given
environment

  1. First app server - Install script interactively asks operations
    engineer for client specific information (taken from the ticketing
    system), then installs the package and generates the SSL cert + key.
    This information is saved to a file
  2. All other app servers - The script reads the previously gathered
    information to automatically install and configured the package for
    the rest of the app servers

The script simplifies the installation process for our ops engineers
so that they do not have to be Shibboleth experts. I would like to
have Chef handle this instead and I was thinking that, for the initial
bootstrap, I can have a wrapper script to gather the client specific
information but then save this to a json file and feed it to chef so
that it can be placed in a data bag item for that environment.
Something along these lines is almost working

First run on first app server :

  1. Interactively ask for the client specific information
  2. Generate SSL certificate+key
  3. Save client information and SSL cert+key in json file
  4. Run Chef with a special Shibboleth “bootstrap” recipe and with "-j"
    option to load in the contents of the above mentioned json file into
    the node attribute list
  5. From the Shibboleth bootstrap recipe create a data bag item and
    save the client info + certs

Remaining app servers : Simply run Chef normally and it will pull the
configuration from the data bag and configure the node appropriately.

However, at step 5, I get stuck. The problem, as mentioned above, is
that admin privileges are required to create data bag items, as is
mentioned in the docs on the Wiki. Can I allow access to just a
particular data bag?

Or should I try a whole new strategy? I’m open to suggestions.

Regards,

Fred.

[1] http://shibboleth.net/


#2

Friedrich,

The normal Chef way is generally for the sysadmin (you) to give the
chef-server all the necessary data up-front. Then the recipes are free to
read any data they like from the chef-server and, at the end of a
successful run, update just the node data for that node. Recipes may read
data-bag items, but typically do not create, update, or delete data-bag
items.

A way to solve your problem might be to write a script that the sysadmin
can run interactively on his own workstation and not on the app-server,
which writes out a JSON file, including embedded in it any necessary
configuration files, certificates, keys, etc. The sysadmin can then copy
that JSON file into the chef-repo as a data-bag item and upload it to the
chef-server. Then the next chef-client run on each app-server will read
that data and configure the nodes according to that data.

Cheers,
Jay

On Tue, Oct 23, 2012 at 11:09 AM, Friedrich Clausen fred@derf.nl wrote:

Hi All,

Summary:

I am performing some proof of concept testing to see how we can use
Chef, and configuration management in general, within at my workplace.
Initial results are very promising and, not only that, Chef is great
fun to work with. I can already see it eventually replacing a great
deal of fragile scripting.

My question is - can I allow node API clients to modify data bag items
in a particular data bag without giving them admin privileges?

Details:

This is regarding a package (Internet2’s Shibboleth Service Provider
[1]) that we currently install in the following way for a given
environment

  1. First app server - Install script interactively asks operations
    engineer for client specific information (taken from the ticketing
    system), then installs the package and generates the SSL cert + key.
    This information is saved to a file
  2. All other app servers - The script reads the previously gathered
    information to automatically install and configured the package for
    the rest of the app servers

The script simplifies the installation process for our ops engineers
so that they do not have to be Shibboleth experts. I would like to
have Chef handle this instead and I was thinking that, for the initial
bootstrap, I can have a wrapper script to gather the client specific
information but then save this to a json file and feed it to chef so
that it can be placed in a data bag item for that environment.
Something along these lines is almost working

First run on first app server :

  1. Interactively ask for the client specific information
  2. Generate SSL certificate+key
  3. Save client information and SSL cert+key in json file
  4. Run Chef with a special Shibboleth “bootstrap” recipe and with "-j"
    option to load in the contents of the above mentioned json file into
    the node attribute list
  5. From the Shibboleth bootstrap recipe create a data bag item and
    save the client info + certs

Remaining app servers : Simply run Chef normally and it will pull the
configuration from the data bag and configure the node appropriately.

However, at step 5, I get stuck. The problem, as mentioned above, is
that admin privileges are required to create data bag items, as is
mentioned in the docs on the Wiki. Can I allow access to just a
particular data bag?

Or should I try a whole new strategy? I’m open to suggestions.

Regards,

Fred.

[1] http://shibboleth.net/