chef - [chef] Re: Nested Databags

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Nested Databags

From: James Light < >
To:
Subject: [chef] Re: Nested Databags
Date: Wed, 12 Sep 2012 10:57:36 -0400

It sounds to me like you want one data bag of access groups per node.
So each item in the data bag would have the node name and its
associated access groups.

Really, you could do several things, but the first things that come to mind
are:
1)
data_bag: "node_access_groups"
data_bag_item: {
    "id":<node_name>,
    "authorized_users": [ <username1>, <username2>, ..., <usernameN> ],
    "ip_list": [ <IP 1>, <IP 2>, ... <IP N> ]
}

That data bag item would then be able to be used in a recipe so a host
could search the databag for its own node name in the "id" field and
then access the list of authorized_users and the list of IP addresses
that are being used for it.

That's if you are doing them as data bags, however, another point is
that you already have the data you want in an LDAP database, so why
replicate that data to a data bag in the first place and then have to
deal with keeping your data bag in sync with your LDAP server?

Wouldn't it be better to query LDAP and return that information in a
way that can be directly used as attributes in your recipes?

     -JL

On Wed, Sep 12, 2012 at 10:21 AM, jfotop
< >
wrote:
>
> Hi!!
>
> I'm new to chef and liking it so far. I have a simple question (could be
> even
> called stupid): Could I create a nested databag to create a structure like
> the
> following? :
>
> access_groups = { Developers => {  Tim => 10.0.0.1, Brandon=> 10.0.0.2 },
>                   Admins =>     {  Jacob => 10.1.0.1, Curtis => 10.1.0.2,
> Mary
> => 10.1.0.3},
>                   Sales =>      {  Rebecca => 10.3.0.1, George => 10.3.2.1}
> }
>
> in one databag?
> Use case:
> When a node is created, it would set an attribute which is an ldap_group (or
> maybe 2 or 3 ldap groups). The ldap_group names correspond to the group
> names
> above. So when I want to configure iptables, I will have to loop over all
> specified groups and get every IP from the users in the group(s). I also
> want
> the usernames, because each user in that group will be added to a local
> group,
> in order to grant him sudo access to different stuff.
>
> Any other ideas on how to accomplish this would be appreciated.

[chef] Nested Databags, jfotop, 09/12/2012
- [chef] Re: Nested Databags, James Light, 09/12/2012