Total newb question re: disabling knife node edit


#1

Hi! folks, long time puppet guy, first week with chef!

Is there a way to disable “knife node edit” on the server-side, to only
allow for the editing of a node from a file? I want to be able to track
changes to nodes with git . . .

Thanks so much,
Guy Matz


#2

The ability to edit a node depends on your API client identity. There are admin clients and non-admin clients. Admin clients may edit nodes, non-admins may run 'knife node edit ’ to see the node, but may not save changes to the node.

We track changes to node files in svn, and manage node uploads via our CI server (Jenkins). Everybody has the guest pem (non-admin) so they can see everything with knife, but to upload a node file, one must run a Jenkins job. The admin pem is installed on the Jenkins server and enjoys limited access. The CI serveralso tracks who ran what when, so we have audit trails on both node file changes in the source code as well as on what was actually uploaded to the Chef server.

Cheers,

-Chas

There are 2 kinds of clients; admin and normal.

On Jul 30, 2013, at 6:50 AM, Guy Matz guymatz@gmail.com
wrote:

Hi! folks, long time puppet guy, first week with chef!

Is there a way to disable “knife node edit” on the server-side, to only allow for the editing of a node from a file? I want to be able to track changes to nodes with git . . .

Thanks so much,
Guy Matz


#3

Finer-grained access control is available in either Hosted or Private Chef
if these options don’t suit your needs.

Or you can throw in with the person who just posted that they’re totally
going to add a bunch of awesome features to OSS Chef.
(Hope they open-source that – some of it sounded cool.)

On Tue, Jul 30, 2013 at 8:59 AM, Chas Schley Chas_Schley@gap.com wrote:

The ability to edit a node depends on your API client identity. There are
admin clients and non-admin clients. Admin clients may edit nodes,
non-admins may run 'knife node edit ’ to see the node, but may not
save changes to the node.

We track changes to node files in svn, and manage node uploads via our CI
server (Jenkins). Everybody has the guest pem (non-admin) so they can see
everything with knife, but to upload a node file, one must run a Jenkins
job. The admin pem is installed on the Jenkins server and enjoys limited
access. The CI serveralso tracks who ran what when, so we have audit trails
on both node file changes in the source code as well as on what was
actually uploaded to the Chef server.

Cheers,

-Chas

There are 2 kinds of clients; admin and normal.

On Jul 30, 2013, at 6:50 AM, Guy Matz guymatz@gmail.com
wrote:

Hi! folks, long time puppet guy, first week with chef!

Is there a way to disable “knife node edit” on the server-side, to only
allow for the editing of a node from a file? I want to be able to track
changes to nodes with git . . .

Thanks so much,
Guy Matz