Read only access to chef server


#1

hello!
we recently put a berks-api in front our chef server so that it can be our
central repository for cookbooks. its working nicely.

but since Berkshelf files now reference our “inhouse supermarket” instead
of git and/or path locations, it also means a lot more people need access
to our chef server. for example anyone that does kitchen testing. but i
dont want all those people to be able to upload or modify things in the
chef-server. so how can i give them read only access? we are in chef server
11.

best, koert


#2

Hey Koert,

Your best bet is probably to upgrade to Chef Server 12 and then use the
more fine grained RBAC permissions it contains to manage this, although
I don’t believe there is a simple read only switch you can flip, so
you’ll likely have to play with the permission system to get things correct.

The webui gives you some access to manage this, although it is far from
perfect (and the webui is only free for use up to 25 nodes), otherwise
command line tools are available to manage this. knife-acl exists for
this, but has lots of warnings around it, since it is modifying the
underlying permissions of the system.

  • Mark Mzyk

Koert Kuipers mailto:koert@tresata.com
January 8, 2015 at 11:39 PM
hello!
we recently put a berks-api in front our chef server so that it can be
our central repository for cookbooks. its working nicely.

but since Berkshelf files now reference our "inhouse supermarket"
instead of git and/or path locations, it also means a lot more people
need access to our chef server. for example anyone that does kitchen
testing. but i dont want all those people to be able to upload or
modify things in the chef-server. so how can i give them read only
access? we are in chef server 11.

best, koert