[chef] Re: Re: Re: Re: System configuration tool comparison

[Chris Walters < >]

And to be very clear, access to each of those kinds of objects (and others not listed but probably not important for your purposes) is separated into CREATE, READ, UPDATE, DELETE, and GRANT (required to view or change the object's ACLs) Access Control Entries (ACEs) so that a person may have the ability to read one cookbook but not modify it, while having complete access to another and no access to yet a third. Each ACE can have groups or actors, and groups can contain both actors and other groups.

The one sentence description: It's fine-grain RBAC via discretionary ACLs with (possibly nested) groups.

Hope that helps,

Chris

On Mon, Aug 16, 2010 at 9:35 AM, Joshua Timberman < "> > wrote:

Hello,

Just to be clear, the ACLs are currently only available in the commercial Opscode Platform offering, not in the open source Chef Server. The client libraries are open source and unaffected, other than potentially being restricted by ACL.

The access control can be applied to any object managed by Chef.

- Nodes
- Clients
- Roles
- Cookbooks[0]
- Data Bags

The permissions can be managed by groups or per-user.

Further documentation for managing permissions in the Opscode Platform Management Console can be found on our help site:

http://help.opscode.com/faqs/manage/managing-permissions

Thanks!

[0]: Permissions can be assigned to specific cookbooks; i.e. user jtimberman can access the 'apache2' cookbook but not the 'mysql' cookbook.

On Aug 16, 2010, at 2:30 AM, Bart Vanbrabant wrote:

> I have a question about the access control. To what can access control
> be applied? Is this fine grained per parameter or very coarse per
> device?
>
> I'll update the chef page based on your feedback.

--
Opscode, Inc
Joshua Timberman, Technical Evangelist
C: 720.334.RUBY E: ">