Limiting a client to data bag access with OpenSource Chef-Server


#1

Hi,

is there a way to limit an API client to access the databags/ REST
endpoint only? Using OpenSource Chef-Server… (I’m pretty sure the API
of closed Chef allows this).

My only idea would be to deny access to databags/ in the nginx proxy for
the IP running that client (a self-provision web frontend).

Any other ideas (doing it on a per-client basis)?

Thanks
Steffen


#2

On Apr 21, 2013, at 11:34 PM, Steffen Gebert wrote:

Hi,

is there a way to limit an API client to access the databags/ REST
endpoint only? Using OpenSource Chef-Server… (I’m pretty sure the API
of closed Chef allows this).

My only idea would be to deny access to databags/ in the nginx proxy for
the IP running that client (a self-provision web frontend).

Any other ideas (doing it on a per-client basis)?

You can apply limits externally at the HTTP protocol layer but the only access restrictions available in OSC is if a client is marked as an admin or not. The Chef 11 server build is already fronted by nginx I think, so you could probably just alter the internal cookbook that generates the final nginx configs when you chef-server-ctl reconfigure.

–Noah