Restriction on REST API access


#1

Hello,

In Puppet, there is a auth.conf file which permits to define some authorization
thanks to regex on path of the REST API

For example, by default in Puppet, there is:

allow nodes to retrieve their own catalog (ie their configuration)

path ~ ^/catalog/([^/]+)$
method find
allow $1

which permits to dynamically setup the authorization on the request.
For exemple, the request
/catalogue/clienthostname
will only work if it is the client ‘clienthostname’ which request it, otherwise
it will fail with an authorization error.

Is there a similar feature in opensource Chef on the Chef REST API please ?

Thanks in advance for your answers.

Best regards,
Christophe


#2

Not out of the box but we put Apache in front of chef server ( so both API
and web interface are on port 80 ) and we add a bunch of rules that check
some rules and I suspect that would be easy enough with some appropriate
Apache fu

On Thursday, April 26, 2012, wrote:

Hello,

In Puppet, there is a auth.conf file which permits to define some
authorization
thanks to regex on path of the REST API

For example, by default in Puppet, there is:

allow nodes to retrieve their own catalog (ie their configuration)

path ~ ^/catalog/([^/]+)$
method find
allow $1

which permits to dynamically setup the authorization on the request.
For exemple, the request
/catalogue/clienthostname
will only work if it is the client ‘clienthostname’ which request it,
otherwise
it will fail with an authorization error.

Is there a similar feature in opensource Chef on the Chef REST API please ?

Thanks in advance for your answers.

Best regards,
Christophe


Cheers,

Peter Donald


#3

There isn’t a direct analog. Chef requires every request to be
authenticated (even the initial request is authenticated by the
validation certificate,) and there is no way to turn it off.

In Open Source chef, there are only two permission settings - either
you are an administrator with full privileges, or a client with
permissions to read/write your own node object, and read other
objects.

As Peter Donald replied later, you can certainly add these rules at
the proxy layer.

Adam

On Thu, Apr 26, 2012 at 2:42 AM, cl.subscription@gmail.com wrote:

Hello,

In Puppet, there is a auth.conf file which permits to define some authorization
thanks to regex on path of the REST API

For example, by default in Puppet, there is:

allow nodes to retrieve their own catalog (ie their configuration)

path ~ ^/catalog/([^/]+)$
method find
allow $1

which permits to dynamically setup the authorization on the request.
For exemple, the request
/catalogue/clienthostname
will only work if it is the client ‘clienthostname’ which request it, otherwise
it will fail with an authorization error.

Is there a similar feature in opensource Chef on the Chef REST API please ?

Thanks in advance for your answers.

Best regards,
Christophe


Opscode, Inc.
Adam Jacob, Chief Customer Officer
T: (206) 619-7151 E: adam@opscode.com