[chef] Re: using chef to provision/deprovision chef server users

[Brad Knowles < >]

On Oct 15, 2013, at 2:06 PM, Nick Silkey 
<
 >
 wrote:

> Im curious what others have done to tackle the provision/deprovision of 
> users within a given Chef Server.  
> 
> My use case is having to own multiple company product's disparate 
> open-source chef servers.  Im envisioning a workflow where a top-level 
> chef-server manages the foo product's chef server(s), satisfying dev+ops+qe 
> for the foo product are provisioned/deprovisioned.  The same goes for the 
> bar product's chef server(s) + team, the baz product's chef server(s) + 
> team, etc.  This would allow for onboarding already spun-up chef servers 
> and continuing to provide airspace segregation between products.

Just checking -- this is a large-scale multi-tenant environment, right?  Not 
just people from different teams in the same company, but actual different 
paying customers, some of whom might be competitors for some of your other 
customers.  And we're potentially talking about many thousands of such 
customers, right?

Maybe not Facebook or Netflix or Amazon scale, but still what would be 
considered "large scale".

> - Is anyone doing anything like this currently? 
> - How is it working out?  Wonderfully?  Terribly?  
> - Can alternatives like Private Chef solve this function?

What I have heard is that Private Chef 11.x was developed in part based on 
Hosted Chef and the sorts of things that Opscode had to do to handle their 
own multi-tenant environment.  My understanding is that Hosted Chef is now 
running on pretty much the same codebase as everyone else who is using 
Enterprise Chef 11.x, and is the largest known installation of EC.  Well, the 
largest known installation that anyone can talk about, so far as we know.

So, if using the same chef server with RBAC that Opscode is using internally 
for Hosted Chef would be a suitable solution for you, I think that's a pretty 
easy answer.  Of course, actually administering a large scale multi-tenant 
Hosted Chef type of environment is not exactly a walk in the park, but I 
suspect that you'll find some people on this list who can give you some 
advice towards that end.


Now, if a Hosted Chef type of solution is not adequate for you, and you would 
actually need separate chef servers for each environment in order to provide 
that "air gap" level of security, then I'm not sure how you would scale that 
-- we know what Opscode did (mostly), but I haven't heard of any other 
solutions in that space on that scale.

--
Brad Knowles 
<
 >
LinkedIn Profile: <http://tinyurl.com/y8kpxu>