Re: some questions

[Miguel Cabeça <cabeca@ist.utl.pt>]

Hi,


On 2009/04/17, at 21:01, Adam Jacob wrote:

> We've got some thoughts on how this might be accomplished, which I
> just posted to the wiki at:
>
> http://wiki.opscode.com/display/chef/Roles+and+Infrastructures
>
> The gist is adding three new concepts:
>
> 1) Tags

> 2) Roles

> 3) Infrastructures

> B) It would allow for automatic assignment of recipes based on  
> policies.

I think there are four new concepts in this description, the fourth  
being the policy that was mentioned on B). As I told Adam on #chef,  
there are four new concepts to add to the existing Nodes, Cookbooks,  
Recipes, Definitions, Attributes, Libraries, Files, Templates,  
Resources, Providers and Search Indexes. It will steep even more the  
chef learning curve.

I think this is a bit of over-engeneering, at least to solve the  
original all-cookbooks-to-all-clients security problem I've mentioned.  
And it may not solve the problem completely. If the chef server unit  
of access control is the cookbook, it will be impossible to have  
sensitive data in one cookbook that has recipes for multiple types of  
servers. For example I have a postfix cookbook with  
postfix::sattelite, postfix::relay and postfix::store recipes, the  
postfix::relay serves remote files with sensitive data that the  
postfix::sattelite should not have acess to.

I have some (maybe uninformed) opinions on the new concepts introduced:

1) Tags : I don't see the diference of this and an attribute of the  
node named 'tags' that could be set automaticaly or manually in a  
recipe.

2) Roles: I've implemented this already as a toplevel cookbook with  
several recipes in it. Each node has  one or more of this recipes like  
for example role::mailstore, or role::ldapmaster or role::kerberoskdc.  
It's not dynamic, but is there a need for this to be dynamic?

3) I didn't understand the use for this concept. Doesn't this overlapp  
with roles? A 'testing' infrastructure should have nodes with  
'testingX' roles

4) I didn't understand this policy concept either.

I'm afraid that the complexities involved in implementing all this  
features will postpone the resolution of the all-cookbooks-to-all- 
clients problem.

I was thinking of an approach based on scanning all recipes on chef  
server for include_recipes, remote_file and remote_directory  
resources. That would build an ACL that would allow only authorized  
nodes to acess the resources.

Best Regards

Miguel Cabeça