On Oct 15, 2013, at 2:06 PM, Nick Silkey nick@silkey.org wrote:
Im curious what others have done to tackle the provision/deprovision of users within a given Chef Server.
My use case is having to own multiple company product's disparate open-source chef servers. Im envisioning a workflow where a top-level chef-server manages the foo product's chef server(s), satisfying dev+ops+qe for the foo product are provisioned/deprovisioned. The same goes for the bar product's chef server(s) + team, the baz product's chef server(s) + team, etc. This would allow for onboarding already spun-up chef servers and continuing to provide airspace segregation between products.
Just checking -- this is a large-scale multi-tenant environment, right? Not just people from different teams in the same company, but actual different paying customers, some of whom might be competitors for some of your other customers. And we're potentially talking about many thousands of such customers, right?
Maybe not Facebook or Netflix or Amazon scale, but still what would be considered "large scale".
- Is anyone doing anything like this currently?
- How is it working out? Wonderfully? Terribly?
- Can alternatives like Private Chef solve this function?
What I have heard is that Private Chef 11.x was developed in part based on Hosted Chef and the sorts of things that Opscode had to do to handle their own multi-tenant environment. My understanding is that Hosted Chef is now running on pretty much the same codebase as everyone else who is using Enterprise Chef 11.x, and is the largest known installation of EC. Well, the largest known installation that anyone can talk about, so far as we know.
So, if using the same chef server with RBAC that Opscode is using internally for Hosted Chef would be a suitable solution for you, I think that's a pretty easy answer. Of course, actually administering a large scale multi-tenant Hosted Chef type of environment is not exactly a walk in the park, but I suspect that you'll find some people on this list who can give you some advice towards that end.
Now, if a Hosted Chef type of solution is not adequate for you, and you would actually need separate chef servers for each environment in order to provide that "air gap" level of security, then I'm not sure how you would scale that -- we know what Opscode did (mostly), but I haven't heard of any other solutions in that space on that scale.
--
Brad Knowles brad@shub-internet.org
LinkedIn Profile: http://tinyurl.com/y8kpxu