Restricting a Chef Workstation to specific cookbook management


#1

I’ve done some searching and I’ve come up dry. I’m looking for a way to restrict a Chef workstation to manage a limited set of cookbooks. This way we can have our build/deployment systems manage product/application specific cookbooks while not running the risk of it managing global cookbooks.

Global Cookbook meaning stock windows, mongo, openssl etc.

Wade Peacock
Production IT | Vision Critical
direct 604.629.9358
mobile 604.363.8137

www.visioncritical.comhttp://www.visioncritical.com/

New York | London | Vancouver | Paris | Sydney | Chicago | San Francisco | Toronto | Montreal | Calgary


#2

Hi,

On Thu, Jul 12, 2012 at 9:12 AM, Wade Peacock
Wade.Peacock@visioncritical.com wrote:

I’ve done some searching and I’ve come up dry. I’m looking for a way to
restrict a Chef workstation to manage a limited set of cookbooks. This way
we can have our build/deployment systems manage product/application specific
cookbooks while not running the risk of it managing global cookbooks.

Global Cookbook meaning stock windows, mongo, openssl etc.

I am not sure if you can do this with hosted/private chef by using
separate credentials but if you are in opensource chef then a strategy
we have is used is to proxy the requests behind apache. Then use
rewrite the requests. You look for a header like “X-Ops-UserId” (See
[1]) for the workstations client and then block certain http actions
(POST, DELETE?) on the rest API for cookbooks [2]

HTH

[1] http://wiki.opscode.com/display/chef/Making+Authenticated+API+Requests
[2] http://wiki.opscode.com/display/chef/Server+API#ServerAPI-%2Fcookbooks%2FCOOKBOOKNAME%2FCOOKBOOKVERSION


Cheers,

Peter Donald