search

chef / cheffish

Resources and tools for testing and interacting with Chef and Chef Server.
Apache License 2.0
38 stars 28 forks source link

Confused about implications of using groups attribute in chef_group resource #78

Closed poliva83 closed 9 years ago

poliva83 commented 9 years ago

It appears that its possible create a group and add other groups to this group. However I am confused about the acl implications. In spec example below does any user in group 'g' have all acl permissions set for group 'g' plus those also set for group 'x'? Which acl permissions would take precedence if group 'g' and 'x' rules are in conflict? Is it some kind of union? Sorry this probably isn't a cheffish related issue but I couldn't find these answers on chef docs (https://docs.chef.io/server_orgs.html) and thought someone here might know.

related spec: https://github.com/chef/cheffish/blob/master/spec/integration/chef_group_spec.rb#L109

context 'and has a group named x' do
      group 'g', {}
      group 'g2', {}
      group 'g3', {}
      group 'g4', {}
      user 'u', {}
      user 'u2', {}
      user 'u3', {}
      user 'u4', {}
      client 'c', {}
      client 'c2', {}
      client 'c3', {}
      client 'c4', {}

      group 'x', {
        'users' => %w(u u2),
        'clients' => %w(c c2),
        'groups' => %w(g g2)
      }

      it 'Converging chef_group "x" adds new users' do
        expect_recipe {
          chef_group 'x' do
            users 'u3'
            clients 'c3'
            groups 'g3'
          end
        }.to have_updated('chef_group[x]', :create)
        expect(get('groups/x')).to eq({
          'name' => 'x',
          'groupname' => 'x',
          'orgname' => 'foo',
          'actors'  => %w(c c2 c3 u u2 u3),
          'groups'  => %w(g g2 g3),
          'users'   => %w(u u2 u3),
          'clients' => %w(c c2 c3)
        })
      end
poliva83 commented 9 years ago

I found my answer after reviewing ChefServerPermissions_v1.3.pdf.

A Group is a entity that contains lists of Actors and other Groups. It is a way to link Actors in the system that should share the same permissions on an Object. An example is the Admin group. Groups can contain other Groups. When resolving permissions, the system just walks down the chain until it reaches the end and finds the Actors contained in the Group.

Closing this issue.