Search icon Close icon
Search icon
Subscription
0
Cart icon
Close icon
You have no products in your basket yet
Arrow left icon
All Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletters
Free Learning
Arrow right icon
Mastering Chef

You're reading from  Mastering Chef

Product type Book
Published in Jun 2015
Publisher
ISBN-13 9781783981564
Pages 374 pages
Edition 1st Edition
Languages
Concepts
Author (1):
Mayank Joshi Mayank Joshi
Profile icon Mayank Joshi
LinkedIn
Mayank Joshi works for Indix as a DevOps engineer. He has worn many hats during his 10-year long career. He has been a developer, a systems analyst, a systems administrator, a software consultant, and for the past 6 years, he has been fascinated with the phenomenal growth witnessed in cloud environments and the challenges of automation associated with the hosting of the infrastructure in such environments. Prior to Indix, he worked for start-ups such as SlideShare, R&D organizations such as CDAC, and even had a stint at a highly automated chemical plant of IFFCO.
See other products by Mayank Joshi

Table of Contents (20) Chapters

Mastering Chef
Credits
About the Author
About the Reviewers
www.PacktPub.com
Preface
1. Introduction to the Chef Ecosystem 2. Knife and Its Associated Plugins 3. Chef and Ruby 4. Controlling Access to Resources 5. Starting the Journey to the World of Recipes 6. Cookbooks and LWRPs 7. Roles and Environments 8. Attributes and Their Uses 9. Ohai and Its Plugin Ecosystem 10. Data Bags and Templates 11. Chef API and Search 12. Extending Chef 13. (Ab)Using Chef Index

Chapter 4. Controlling Access to Resources

So you decided that you were going to set up a Chef server and configure your infrastructure in a smart way. Good for you! However, once you've moved past this stage, the next stage that will come and haunt most organizations is: How do we ensure that everyone is able to contribute towards using Chef, while ensuring that no big mess up happens when everyone is busy modifying the Chef code? Above all, how to ensure that anybody who is not supposed to access resources on the Chef server is denied access?

Chef provides a very fine-grained, role-based access to resources through Enterprise Chef.

Any system that has to provide for such a mechanism has to have two components included in it:

  • Authentication

  • Authorization

All communication with the Chef server is through the Chef Server API. The API provided by Chef is a REST API, and the access to the API is restricted using authentication mechanisms. Public key encryption is used in both Enterprise and Open...

The bootstrap process

Before we jump into understanding the authentication and authorization mechanisms available in the Chef ecosystem, let's look at the bootstrap process used for the purpose of bootstrapping a new machine using Chef. There are two ways to bootstrap a new node:

  • Using the knife bootstrap subcommand

  • Using a custom orchestrator, which can bootstrap a new machine

In both the cases, unless you are using the chef-client version 12.1 (or higher) and the validator-less bootstrap, you'll require the validator's private key for the first chef-client run on the node. If you are using the Open Source Chef server, this key can be found in /etc/chef-server/chef-validator.pem, whereas, for the Enterprise Chef server, this key will be issued to you during the initial setup.

If you are going to use the knife bootstrap subcommand, this key should be copied over to the machine from where the knife bootstrap subcommand will be invoked. Also, update your knife.rb file on the workstation with the...

Authentication

Communication with the Chef server can be initiated by different mechanisms such as chef-client, Knife, and using API in code. Let's see how authentication works under different circumstances.

chef-client

Every time a chef-client needs to communicate with the Chef server to fetch some data required for bootstrapping a machine, the chef-client needs to authenticate itself with the Chef server. It does so by using a private key located at /etc/chef/client.pem. However, as we saw in the bootstrap process, when a chef-client is executed for the very first time, there is no private key on the concerned machine. Hence, a chef-client makes use of the private key assigned to the chef-validator (/etc/chef/validation.pem). Once the initial request is authenticated, a chef-client will register with the Chef server using validation.pem, and subsequently the Chef server will return back a new private key to use for future communication. Once the initial chef-client run is over, validation...

Authorization

As we discussed earlier, users of Chef can only perform actions that they are authorized to perform. There is a difference in the implementation of authorization between the Enterprise and Open Source Chef server.

The Enterprise Chef server makes use of the role-based access control model.

The Open Source Chef server, on other hand, has a fairly simple model, where there are either admin users who have the privilege to read, write, update, and delete resources, or non-admin users who have read-only access to resources on the Chef server.

Let's look at each of these in detail.

The Open Source Chef server

As we discussed earlier, the Open Source Chef server has a very simple model for authorization purpose. We've two sets of users: admin and non-admin. Any user with an admin privilege can read, write, update, or delete any resources on the Chef server, whereas non-admin users have read-only access to the resources on the Chef server.

When a node is registered with the Chef server through...

Summary

In this chapter, we went on to understand how authentication happens in the Chef server and how one can make use of custom APIs to connect securely with the Chef server. We also saw different models of authorization used by the Enterprise and Open Source Chef server. I hope by now you know how authentication and authorization happen in the world of Chef and how you can choose the right variant of the Chef server for your use, depending on your requirement s with regard to the granularity of authorization levels needed.

In the next chapter, we'll learn about the most fundamental unit of code written by Chef developers: is a recipe. Components of a recipe and its resources (among other things) will be covered next.

lock icon The rest of the chapter is locked
arrow left Previous Chapter
Chapter 1 of 20
Next Chapter arrow right
You have been reading a chapter from
Mastering Chef
Published in: Jun 2015 Publisher: ISBN-13: 9781783981564
© 2015 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime}

Authors (1)

Profile icon Mayank Joshi
LinkedIn
Mayank Joshi works for Indix as a DevOps engineer. He has worn many hats during his 10-year long career. He has been a developer, a systems analyst, a systems administrator, a software consultant, and for the past 6 years, he has been fascinated with the phenomenal growth witnessed in cloud environments and the challenges of automation associated with the hosting of the infrastructure in such environments. Prior to Indix, he worked for start-ups such as SlideShare, R&D organizations such as CDAC, and even had a stint at a highly automated chemical plant of IFFCO.
Read more
See other products by Mayank Joshi

Personalised recommendations for you

Based on your interests and search pattern
Left arrow icon
Designing and Implementing Microsoft Azure Networking Solutions
Designing and Implementing Microsoft Azure Networking Solutions
Designing and Implementing Microsoft Azure Networking Solutions Exam Ref AZ-700 is an all-encompassing guide to the AZ-700 exam and contains all the information you need to succeed in the world of virtual networking with Azure. With this book, you will be fully prepared for the exam and the world of cloud networking.
Aug 2023 17 hours 28 minutes
Microsoft 365 Security, Compliance, and Identity Administration
Microsoft 365 Security, Compliance, and Identity Administration
The Microsoft 365 Security, Compliance, and Identity Administration is a comprehensive guide that helps you employ Microsoft 365's robust suite of features and empowers you to optimize your administrative tasks.
Aug 2023 21 hours 0 minutes
Zero Trust Overview and Playbook Introduction
Zero Trust Overview and Playbook Introduction
Get started on Zero Trust with this step-by-step playbook and learn everything you need to know for a successful Zero Trust journey with tailored guidance for every role, covering strategy, operations, architecture, implementation, and measuring success. This book will become an indispensable reference for everyone in your organization.
Oct 2023 8 hours 0 minutes
The Self-Taught Cloud Computing Engineer
The Self-Taught Cloud Computing Engineer
This self-study book helps you master multiple clouds, including AWS, Azure, and GCP, and serves as a roadmap to becoming a certified cloud computing expert. The book will guide you to develop a professional cloud career by helping you build a broad cloud knowledge base, developing hands-on cloud computing skills, and getting cloud certified.
Sep 2023 15 hours 44 minutes
Technology Operating Models for Cloud and Edge
Technology Operating Models for Cloud and Edge
This book will help you build and create ownership of a technology operating model, as well as connect your leadership with engineering and operations, keeping your internal and external customers in mind. It provides practical tips on why, where, and how to make the cloud and edge platform paradigm sing for you, your team, and your organization.
Aug 2023 7 hours 36 minutes
Azure Architecture Explained
Azure Architecture Explained
Azure is the preferred platform to build mission-critical and secure apps. This book provides comprehensive coverage of essential Azure products, services, and solutions vital for every solution architect's success. Elevate your knowledge and master the critical components of Azure to excel in your role with Azure Architecture Explained.
Sep 2023 14 hours 52 minutes
Pentesting Active Directory and Windows-based Infrastructure
Pentesting Active Directory and Windows-based Infrastructure
This practical guide helps you explore the pentesting of Microsoft infrastructure in detail, and enhances your offensive skillset by showing you the different ways to perform security assessment. This book will help blue teamers and IT engineers get up to speed with possible security issues they may encounter in their Windows environments.
Nov 2023 12 hours 0 minutes
Practical Ansible
Practical Ansible
In Practical Ansible, you'll work with the latest release of Ansible and learn to solve complex issues quickly with the help of task-oriented scenarios. You'll start by installing and configuring Ansible to automate monotonous and repetitive IT tasks and get to grips with concepts such as playbooks, inventories, plugins, collections, and network modules.
Sep 2023 14 hours 0 minutes
Windows 11 for Enterprise Administrators
Windows 11 for Enterprise Administrators
Microsoft’s launch of Windows 11 is a step toward satisfying the enterprise administrator’s needs for better management and enhanced user experience customization. This book provides the enterprise administrator with the knowledge needed to fully utilize the advanced feature set of Windows 11 Enterprise.
Oct 2023 9 hours 32 minutes
The Linux DevOps Handbook
The Linux DevOps Handbook
This book is for software and IT professionals seeking knowledge on Linux systems and DevOps practices. This book will provide you with guidance and tools to learn and gain proficiency in managing Linux-based infrastructures and knowledge of DevOps.
Nov 2023 14 hours 16 minutes
Right arrow icon