[chef-dev] Re: Re: Re: CHEF-2988 allowed_recipes, restricted_recipes, and override_recipes

[Chris Roberts < >]

On Tuesday, March 27, 2012 12:17:32 PM you wrote:
> chef/lib/chef/run_context.rb skips a recipe if allowed_recipes is set
> and the recipe is not in it. It does nothing for restricted recipes.
> When it removed a recipe that is omitted from the allowed list it
> calls it a "Restricted recipe" which is confusing.
>
> chef/lib/chef/mixin/language_include_recipe.rb skips a recipe if it is
> in the list of restricted recipes, it does nothing for allowed
> recipes.
> 
> Perhaps the goal here was that the run_context code would handle both
> restricted and allowed recipes in the run_list and
> language_include_recipe would handle them when included from a recipe,
> but this goal was lost? I don't know.

The allowed recipes are the list of allowed recipes within the base run list. It does not apply dependency restrictions, so if you only want to run the check_sl recipe and it depends on the install_sl recipe, it will remove any recipes defined on the run list expect check_sl and then allow it to properly load any dependencies it requires (in this case, install_sl).

> I've posted a few examples of broken behavior to the bug:
> http://tickets.opscode.com/browse/CHEF-2988?focusedCommentId=22841#comment-2
> 2841
 
> That's all I was getting at. When something doesn't work right,
> someone is likely going to look at the output and see that a recipe
> was reported as "restricted" and wonder why since it is not in their
> list of restricted recipes. I think it would be confusing to call
> recipes removed for not being "allowed" restricted recipes in this
> case.

I understand what you mean with regards to the logging. I can update the log output to make a distinction between restricted/allowed recipe removal to provide more clarity to the user.
 
> > When a recipe is specified within the restricted-recipes option it is
> > simply not allowed to run, either explicitly on the run list or
> > implicitly via dependency. If recipe[check_sl] is dependent on
> > recipe[install_sl] and install_sl is a restricted recipe, neither
> > recipe will be loaded.
> Perhaps by design, but that doesn't appear to be the case:
> https://gist.github.com/8f5dd6ac88af9905a0e8
 
These runs are not working correctly because of the format of the arguments given. The allowed/restricted recipes options deal explicitly with recipes only. It currently accepts recipe names, meaning the call would be:

$ sudo chef-client -a check_sl

or 

$ sudo chef-client -a check_sl::default

If the expected argument format should be recipe[check_sl], that is an easy change to make. It may make it easier to think that something else, like a role, may be provided to these options as well, but it can easily spit an error message out on non-recipe items.

- Chris