General discussion about Chef

Re: Admin permissions on chef-server:4000


Chronological Thread 
  • From: AJ Christensen <aj@junglist.gen.nz>
  • To: chef@lists.opscode.com
  • Subject: Re: Admin permissions on chef-server:4000
  • Date: Mon, 16 Mar 2009 21:34:58 +1300
Hiya!

You could for a start reverse proxy into the chef-server and restrict particular URL's with HTTP basic or otherwise authentication.

opscode/master currently has the functionality to restrict permissions to specific openID's and specific openID relaying parties @ http://github.com/opscode/chef/blob/34bc1e8280c63931b50dbb42ebb27fdbfe1f97c1/chef-server-slice/app/controllers/openid_consumer.rb#L115

You may wish to build 0.6.0 gems and roll that out.

Regards,

AJ

On 16/03/2009, at 9:27 PM, Michal Frackowiak wrote:

Hi,

we have a successfully experimenting with chef-server + clients setup, but still cannot figure out the permission settings.

The problem is that when you go to you http://chef-server.example.com:4000 within the browser and log in using OpenID (using any external identity provider), you _always_ get admin permissions.

We are running chef on a EC2 + external chef-server (+ monitoring etc) hybrid network, without any VPN, and wanted to run chef-server on a public interface.

From what I can see we could restrict access to the chef-server, either by setting up a VPN network, or by limiting access in any other way. But perhaps there is a better way? Is it documented?

Thanks,
Michal

---------------
Michal Frackowiak
http://michalfrackowiak.com






Archive powered by MHonArc 2.6.16.

§