I’d like to prevent my clients from persisting an overridden run-list for a node to the Chef Server (e.g. this could be achieved with the default permissions for a client within a recipe using node.save or by running chef-client -r recipe[cookbook::mynaughtycookbook])
If I remove the node from the UPDATE and DELETE ACE on the node object , then Ohai data cannot be persisted to the server and the chef client run fails.
Does anyone know any reasonable way around this problem? In other words, is there any way to have a read-only run-list on the server?