chef - [chef] Re: Restricting a Chef Workstation to specific cookbook management

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Restricting a Chef Workstation to specific cookbook management

From: Peter Donald < >
To:
Subject: [chef] Re: Restricting a Chef Workstation to specific cookbook management
Date: Thu, 12 Jul 2012 09:51:41 +1000

Hi,

On Thu, Jul 12, 2012 at 9:12 AM, Wade Peacock
< >
wrote:
> I've done some searching and I've come up dry. I'm looking for a way to
> restrict a Chef workstation to manage a limited set of cookbooks. This way
> we can have our build/deployment systems manage product/application specific
> cookbooks while not running the risk of it managing global cookbooks.
>
> Global Cookbook meaning stock windows, mongo, openssl etc.

I am not sure if you can do this with hosted/private chef by using
separate credentials but if you are in opensource chef then a strategy
we have is used is to proxy the requests behind apache. Then use
rewrite the requests. You look for a header like "X-Ops-UserId" (See
[1]) for the workstations client and then block certain http actions
(POST, DELETE?) on the rest API for cookbooks [2]

HTH

[1] http://wiki.opscode.com/display/chef/Making+Authenticated+API+Requests
[2]
http://wiki.opscode.com/display/chef/Server+API#ServerAPI-%2Fcookbooks%2FCOOKBOOKNAME%2FCOOKBOOKVERSION

--
Cheers,

Peter Donald

[chef] Restricting a Chef Workstation to specific cookbook management, Wade Peacock, 07/11/2012
- [chef] Re: Restricting a Chef Workstation to specific cookbook management, Peter Donald, 07/11/2012