How to separate data bag item for different nodes?

0
votes

A basic data bag structure is: /data_bags/[data bag name]/[data bag items]

Let say I want to create a data bag for all the possible admins of all my nodes in a data bag called users. i.e.

/data_bags/users/admin1.json
/data_bags/users/admin2.json
/data_bags/users/admin3.json

Now for node1 I only want to have admin1 and admin3 and for node2 I want to have admin2 and admin3 as my admins.

How can I separate or structure my configuration in a way that I can specify or split my data bags item for each different node?

One idea I have is if we can do something like this.

/data_bags/node1/users/...
/data_bags/node2/users/...

I am a starter in chef, so if what I want to is stupid and should be handled other way then, I appreciate any information to point me to right direction.

2
chef-infradatabags
What is the main goal after this ? Or to say it another way: how will you use those user informations ? this sounds like a XY problem of RBAC management more than a structure one. You can still have an attribute on each node telling which admins you wish for each node and fetch data_bag_item by this list. - Tensibai

2 Answers

1
votes

You either need to group by user or by host. We have the following data bag structure (more docs):

{
    "id": "a-srv123-admin",
    ...
    "nodes": {
            "srv123.example.org": {
                    "sudo": "true"
            }
    }
}

More nodes can be added to the node hash. The corresponding recipe then searches for data bag items matching its own node['fqdn']:

users = search('users', "nodes:#{node['fqdn']}")

Of course, if it is more important to you to have it grouped by node, just do it the other way around and simply pick the data bag item matching the fqdn or similar attribute.

1
votes

The community users cookbook supports this feature. On each server you specify the user group you want managed and the cookbook will search the databag items for matching group memberships.

For an example, take a look at this answer:

Update

The "users" cookbook has an LWRP that defines which group of users should be installed on the server.

users_manage "admins1"

In the data bag you then specify the groups that the user is a member of. So for example "user1" would be included in servers who require the admins1 or admins2 group.

{
  "id": "user1",
  "ssh_keys": [
    "ssh-rsa I AM A DUMMY KEY 1"
  ],
  "groups": [
    "admins1",
    "admins2"
  ],
  "uid": 2001
}

You could of course create a group specific to each server, but that wouldn't scale terribly well. Personally I'd suggest group names based on user roles.

  • admins
  • devops
  • developers
  • deployers