It sounds to me like you want one data bag of access groups per node.
So each item in the data bag would have the node name and its
associated access groups.
Really, you could do several things, but the first things that come to mind are:
1)
data_bag: "node_access_groups"
data_bag_item: {
"id":<node_name>,
"authorized_users": [ , , ..., ],
"ip_list": [ <IP 1>, <IP 2>, ... ]
}
That data bag item would then be able to be used in a recipe so a host
could search the databag for its own node name in the "id" field and
then access the list of authorized_users and the list of IP addresses
that are being used for it.
That's if you are doing them as data bags, however, another point is
that you already have the data you want in an LDAP database, so why
replicate that data to a data bag in the first place and then have to
deal with keeping your data bag in sync with your LDAP server?
Wouldn't it be better to query LDAP and return that information in a
way that can be directly used as attributes in your recipes?
-JL
On Wed, Sep 12, 2012 at 10:21 AM, jfotop ifot@forthnet.gr wrote:
Hi!!
I'm new to chef and liking it so far. I have a simple question (could be even
called stupid): Could I create a nested databag to create a structure like the
following? :
access_groups = { Developers => { Tim => 10.0.0.1, Brandon=> 10.0.0.2 },
Admins => { Jacob => 10.1.0.1, Curtis => 10.1.0.2, Mary
=> 10.1.0.3},
Sales => { Rebecca => 10.3.0.1, George => 10.3.2.1} }
in one databag?
Use case:
When a node is created, it would set an attribute which is an ldap_group (or
maybe 2 or 3 ldap groups). The ldap_group names correspond to the group names
above. So when I want to configure iptables, I will have to loop over all
specified groups and get every IP from the users in the group(s). I also want
the usernames, because each user in that group will be added to a local group,
in order to grant him sudo access to different stuff.
Any other ideas on how to accomplish this would be appreciated.