Put the private supermarket under basic auth


#1

Hello,
I would like to know if is it possible to put under basic auth our private supermaket.

For the moment I can only limit the access by Fw rules(we’re working in aws).

Our company is very big and I don’t want that our cookbooks are downloadable for any unauthorized person
Is it possible?


#2

Yes, it’s possible. The easiest technique is to put the basic auth username and password in the URL. https://example.com/cookbooks/ becomes https://user@password:/example.com/cookbooks/ It does put the credentials in plaintext in your Berksfile, but it’s workable.

An alternative in AWS would be to set up a public S3 folder with permissions set to restrict access to only your designated AWS instances. But that starts getting weird when you get to multiple region deployments and trying to maintain the rules for access: it’s similar to maintaining firewall rules.


#3

Hi,
It’s not totally clear.

if my basic endpoint myprivatesupermarket.chef.com (and so I’ve configured the wrapper cookbook with that name), Do I have t change with https://myname@mypassword:/myprivatesupermarket.chef.com ?

is it correct? what do I have to write in my browser? can I write this myprivatesupermarket.chef.com (and then the systems will ask me the credentials) or this ->https://myname@mypassword:/myprivatesupermarket.chef.com?


#4

The chef server normally keeps copies of the cookbooks loaded locally, and passes them out to the chef clients on request. It’s why in development environments, it can be really easy to load a testing cookbook on top of someone else’s cookbook and break the cookbook for other chef clients, and it’s why I try to test first with chef-solo before committing updated cookbooks anywhere else.

In your case, I think you’d be editing Berksfile, setting an authorized supermarket there for a designated set of cookbooks, and loading or updating the cookbooks from there to the chef server. A chef server does not normally communicate to the upstream cookbook repository. It normally gets cookbooks loaded by an authorized administrator from a locally installed cookbook, and these are locally downloaded and bundled with Berkshelf on the relevant server. That server can be and often is the chef server itself: it need not be, it can be done by any authorized administator with the knife upload.

I suggest that you be careful not to confuse the Berkshelf or otherwise managed copying of supermarket or local cookbooks to a local workspace with the upload to the chef server, and don’t confuse the upload to the chef server with the chef client downloads. They’re distinct stages, highly flexible and tunable.


#5

maybe it’s not clear what I’ ve said :). sorry my english is not so good

If I go to www.mysupermarket.com I see the the webpage and download the cookbook by browser. I know perfectly that for dowload with knife I have to change the berksfile in my cookbook_name folder.

But my company is big and I want that “via browser” only my BU can see the webpage and download the cookbook via browser. is it possible?


#6

Apparently I was unclear:

In your case, I think you’d be editing Berksfile, setting an authorized supermarket there for a designated set of cookbooks, and loading or updating the cookbooks from there to the chef server.

That supermarket would be an internal mirror of the supermarket, your internal web server with your local cookbooks on it, or a git repo, any of which could be designated for access to a set of cookbooks.


#7

So, I think you want an internal mirror. That internal mirror would be a mirror of the supermarket. And you can use “knife mirror” for precisely this. See https://supermarket.chef.io/tools/knife-mirror .