Friday, March 27, 2015

Chef Server 12.0.7 Released [feedly]

Chef Server 12.0.7 Released
// Chef Blog

Hello Chefs,

I'm pleased to announce that Chef Server 12.0.7 is now available. Aside from some behind-the-scenes build improvements, it has two major updates over the previous release:

  • The minimum set of Policyfile endpoints necessary to upload a policy and run Chef Client is now implemented (though see the caveats below).
  • You can enable strict RBAC checking of search results.

Policyfile Endpoints

This release adds Cookbook Artifact endpoints, as specified in Chef RFC 022, and updates the existing Policies endpoint to match the Chef RFC 042 specification. With these implemented, it is possible to upload policies from ChefDK and run Chef Client in policyfile "native API" (i.e. no crazy hacks) mode. Despite this progress, we have not yet completed the migration code that will enable these endpoints on existing Chef Servers, so to use these APIs you will need to run a fresh install of Chef Server and enable the feature with this bit of configuration in your /etc/opscode/chef-server.rb (you need to run chef-server-ctl reconfigure to make it take effect):

lb["xdl_defaults"]["policies"] = true  

We've already written and completed initial testing of the upgrade code to enable this feature on existing Chef Servers, so if you'd prefer to upgrade in-place, you will be able to do so in a forthcoming release. To learn more about the Policyfile feature, see the comprehensive README and Chef RFCs 022 and 042.

Note that you will need Chef Client 12.2.0 or greater and ChefDK 0.5.0 or greater when using these APIs.

Strict Search RBAC Checking

Prior to this release, Chef Server only performed cursory ACL checking when using the search API, which would allow a user with access to the search function to read any objects in the system, even if the user otherwise did not have read access to those individual objects. With this release, you can now enable strict ACL checking for all objects returned from search. This change could be breaking for some users, so to enable it, you must add the following configuration opscode_erchef['strict_search_result_acls'] to your chef-server.rb configuration file. This setting will be the default in the next major release (i.e., Chef Server 13).

Note that this feature has not undergone strenuous performance testing, so be careful when enabling it in very large environments.


As always, the Chef Server packages may be obtained from our downloads page.

See you at ChefConf!


Shared via my feedly reader

Sent from my iPhone

No comments:

Post a Comment