[chef-dev] Re: Re: Re: CHEF-2988 allowed_recipes, restricted_recipes, and override_recipes

[Bryan McLellan < >]

On Mon, Mar 26, 2012 at 8:10 PM, Chris Roberts
<
 >
 wrote:
> On Mon, Mar 26, 2012 at 3:58 PM, Bryan McLellan 
> <
 >
>  wrote:
>> I don't like that in this patch we deal with allowed recipes and
>> restricted recipes in different parts of the code. That's not
>> necessarily the patches fault, but I think requires that if we went
>> down this road we did some refactoring.
>
> The restricted/allowed recipes are dealt with in the same area of the code
> (run_context and language_include_recipe). It's the run list override that
> is dealt with in a separate area of the code (due to it's nature).

chef/lib/chef/run_context.rb skips a recipe if allowed_recipes is set
and the recipe is not in it. It does nothing for restricted recipes.
When it removed a recipe that is omitted from the allowed list it
calls it a "Restricted recipe" which is confusing.

chef/lib/chef/mixin/language_include_recipe.rb skips a recipe if it is
in the list of restricted recipes, it does nothing for allowed
recipes.

Perhaps the goal here was that the run_context code would handle both
restricted and allowed recipes in the run_list and
language_include_recipe would handle them when included from a recipe,
but this goal was lost? I don't know.

I've posted a few examples of broken behavior to the bug:
http://tickets.opscode.com/browse/CHEF-2988?focusedCommentId=22841#comment-22841

>> A more easily correctable issue is that the logs regarding allowed and
>> restricted recipes both call them restricted recipes, making the
>> interaction between these features unclear.
>
> When the allowed recipes option is used, the logs will output a notice with
> the list of allowed recipes. From that point, any recipe provided in the run
> list that is not within the allowed recipes is implicitly a restricted
> recipe at the run list level, which is then reported on attempted loads.
> Changing the output to specify that a recipe is restricted due to the fact
> that it is not within the allowed recipes list would be trivial to add and
> may provide more useful context.

That's all I was getting at. When something doesn't work right,
someone is likely going to look at the output and see that a recipe
was reported as "restricted" and wonder why since it is not in their
list of restricted recipes. I think it would be confusing to call
recipes removed for not being "allowed" restricted recipes in this
case.

> When a recipe is specified within the restricted-recipes option it is simply
> not allowed to run, either explicitly on the run list or implicitly via
> dependency. If recipe[check_sl] is dependent on recipe[install_sl] and
> install_sl is a restricted recipe, neither recipe will be loaded.

Perhaps by design, but that doesn't appear to be the case:
https://gist.github.com/8f5dd6ac88af9905a0e8

Bryan