chef - [chef] Re: Limiting a client to data bag access with OpenSource Chef-Server

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Limiting a client to data bag access with OpenSource Chef-Server

From: Noah Kantrowitz < >
To:
Subject: [chef] Re: Limiting a client to data bag access with OpenSource Chef-Server
Date: Mon, 22 Apr 2013 00:29:22 -0700

On Apr 21, 2013, at 11:34 PM, Steffen Gebert wrote:

> Hi,
>
> is there a way to limit an API client to access the databags/ REST
> endpoint only? Using OpenSource Chef-Server.. (I'm pretty sure the API
> of closed Chef allows this).
>
> My only idea would be to deny access to databags/ in the nginx proxy for
> the IP running that client (a self-provision web frontend).
>
> Any other ideas (doing it on a per-client basis)?

You can apply limits externally at the HTTP protocol layer but the only
access restrictions available in OSC is if a client is marked as an admin or
not. The Chef 11 server build is already fronted by nginx I think, so you
could probably just alter the internal cookbook that generates the final
nginx configs when you chef-server-ctl reconfigure.

--Noah

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

[chef] Limiting a client to data bag access with OpenSource Chef-Server, Steffen Gebert, 04/21/2013
- [chef] Re: Limiting a client to data bag access with OpenSource Chef-Server, Noah Kantrowitz, 04/22/2013