- From: Bryan McLellan <
- To: Chris Roberts <
- Cc: AJ Christensen <
- Subject: [chef-dev] Re: Re: Re: CHEF-2988 allowed_recipes, restricted_recipes, and override_recipes
- Date: Tue, 27 Mar 2012 12:17:32 -0400
On Mon, Mar 26, 2012 at 8:10 PM, Chris Roberts
> On Mon, Mar 26, 2012 at 3:58 PM, Bryan McLellan
>> I don't like that in this patch we deal with allowed recipes and
>> restricted recipes in different parts of the code. That's not
>> necessarily the patches fault, but I think requires that if we went
>> down this road we did some refactoring.
> The restricted/allowed recipes are dealt with in the same area of the code
> (run_context and language_include_recipe). It's the run list override that
> is dealt with in a separate area of the code (due to it's nature).
chef/lib/chef/run_context.rb skips a recipe if allowed_recipes is set
and the recipe is not in it. It does nothing for restricted recipes.
When it removed a recipe that is omitted from the allowed list it
calls it a "Restricted recipe" which is confusing.
chef/lib/chef/mixin/language_include_recipe.rb skips a recipe if it is
in the list of restricted recipes, it does nothing for allowed
Perhaps the goal here was that the run_context code would handle both
restricted and allowed recipes in the run_list and
language_include_recipe would handle them when included from a recipe,
but this goal was lost? I don't know.
I've posted a few examples of broken behavior to the bug:
>> A more easily correctable issue is that the logs regarding allowed and
>> restricted recipes both call them restricted recipes, making the
>> interaction between these features unclear.
> When the allowed recipes option is used, the logs will output a notice with
> the list of allowed recipes. From that point, any recipe provided in the run
> list that is not within the allowed recipes is implicitly a restricted
> recipe at the run list level, which is then reported on attempted loads.
> Changing the output to specify that a recipe is restricted due to the fact
> that it is not within the allowed recipes list would be trivial to add and
> may provide more useful context.
That's all I was getting at. When something doesn't work right,
someone is likely going to look at the output and see that a recipe
was reported as "restricted" and wonder why since it is not in their
list of restricted recipes. I think it would be confusing to call
recipes removed for not being "allowed" restricted recipes in this
> When a recipe is specified within the restricted-recipes option it is simply
> not allowed to run, either explicitly on the run list or implicitly via
> dependency. If recipe[check_sl] is dependent on recipe[install_sl] and
> install_sl is a restricted recipe, neither recipe will be loaded.
Perhaps by design, but that doesn't appear to be the case:
[chef-dev] Re: Re: Re: Re: CHEF-2988 allowed_recipes, restricted_recipes, and override_recipes, Ringo De Smet, 03/27/2012
[chef-dev] Re: CHEF-2988 allowed_recipes, restricted_recipes, and override_recipes, AJ Christensen, 03/26/2012
[chef-dev] Re: CHEF-2988 allowed_recipes, restricted_recipes, and override_recipes, Bryan McLellan, 03/28/2012
[chef-dev] Re: CHEF-2988 allowed_recipes, restricted_recipes, and override_recipes, Akzhan Abdulin, 03/28/2012
Archive powered by MHonArc 2.6.16.