I am performing some proof of concept testing to see how we can use
Chef, and configuration management in general, within at my workplace.
Initial results are very promising and, not only that, Chef is great
fun to work with. I can already see it eventually replacing a great
deal of fragile scripting.
My question is - can I allow node API clients to modify data bag items
in a particular data bag without giving them admin privileges?
This is regarding a package (Internet2’s Shibboleth Service Provider
) that we currently install in the following way for a given
- First app server - Install script interactively asks operations
engineer for client specific information (taken from the ticketing
system), then installs the package and generates the SSL cert + key.
This information is saved to a file
- All other app servers - The script reads the previously gathered
information to automatically install and configured the package for
the rest of the app servers
The script simplifies the installation process for our ops engineers
so that they do not have to be Shibboleth experts. I would like to
have Chef handle this instead and I was thinking that, for the initial
bootstrap, I can have a wrapper script to gather the client specific
information but then save this to a json file and feed it to chef so
that it can be placed in a data bag item for that environment.
Something along these lines is almost working
First run on first app server :
- Interactively ask for the client specific information
- Generate SSL certificate+key
- Save client information and SSL cert+key in json file
- Run Chef with a special Shibboleth “bootstrap” recipe and with "-j"
option to load in the contents of the above mentioned json file into
the node attribute list
- From the Shibboleth bootstrap recipe create a data bag item and
save the client info + certs
Remaining app servers : Simply run Chef normally and it will pull the
configuration from the data bag and configure the node appropriately.
However, at step 5, I get stuck. The problem, as mentioned above, is
that admin privileges are required to create data bag items, as is
mentioned in the docs on the Wiki. Can I allow access to just a
particular data bag?
Or should I try a whole new strategy? I’m open to suggestions.