Removing permission to persist an overridden run-list for a node


#1

Ohai Chefs,

I’d like to prevent my clients from persisting an overridden run-list for a node to the Chef Server (e.g. this could be achieved with the default permissions for a client within a recipe using node.save or by running chef-client -r recipe[cookbook::mynaughtycookbook])

If I remove the node from the UPDATE and DELETE ACE on the node object , then Ohai data cannot be persisted to the server and the chef client run fails.

Does anyone know any reasonable way around this problem? In other words, is there any way to have a read-only run-list on the server?

Thanks, Stuart

Stuart Preston
Technical Director
stuart@pendrica.commailto:stuart@pendrica.com
+447828735633

[Pendrica-linkedin-100x35]


#2

Override run-lists already aren’t saved with node.save

If you’re concerned about nodes being able to change their run_lists at
all, that isn’t something that is possible right now. We can’t treat
the run_list separate from any of the other attributes right now.

On 10/01/2015 05:19 AM, Stuart Preston wrote:

Ohai Chefs,

I’d like to prevent my clients from persisting an overridden run-list
for a node to the Chef Server (e.g. this could be achieved with the
default permissions for a client within a recipe using node.save or by
running chef-client -r recipe[cookbook::mynaughtycookbook])

If I remove the node from the UPDATE and DELETE ACE on the node object
, then Ohai data cannot be persisted to the server and the chef client
run fails.

Does anyone know any reasonable way around this problem? In other
words, is there any way to have a read-only run-list on the server?

Thanks, Stuart

**

Stuart Preston

Technical Director

stuart@pendrica.com mailto:stuart@pendrica.com

+447828735633

Pendrica-linkedin-100x35