[chef] Re: Removing permission to persist an overridden run-list for a node.


Chronological Thread 
  • From: Lamont Granquist < >
  • To:
  • Cc: Stuart Preston < >
  • Subject: [chef] Re: Removing permission to persist an overridden run-list for a node.
  • Date: Thu, 01 Oct 2015 09:59:57 -0700


Override run-lists already aren't saved with node.save

If you're concerned about nodes being able to change their run_lists at all, that isn't something that is possible right now.   We can't treat the run_list separate from any of the other attributes right now.

On 10/01/2015 05:19 AM, Stuart Preston wrote:
" type="cite">

Ohai Chefs,

 

I’d like to prevent my clients from persisting an overridden run-list for a node to the Chef Server (e.g.  this could be achieved with the default permissions for a client within a recipe using node.save or by running chef-client -r recipe[cookbook::mynaughtycookbook])

 

If I remove the node from the UPDATE and DELETE ACE on the node object , then Ohai data cannot be persisted to the server and the chef client run fails.

 

Does anyone know any reasonable way around this problem?  In other words, is there any way to have a read-only run-list on the server?

 

Thanks, Stuart

 

 

 

Stuart Preston

Technical Director

">

+447828735633

 

Pendrica-linkedin-100x35

 





Archive powered by MHonArc 2.6.16.

§