Opscode Chef ACL Usage
This note from 2018. I'm not sure if this is still relevant.
Enabling ACLs
Add to /etc/opscode/chef-server.rb.
opscode_erchef['strict_search_result_acls'] = true
Usage
Revoke global search for all nodes
Revoke access for new nodes
knife acl remove group clients containers nodes read
Revoke access for exists nodes
knife acl bulk remove group clients nodes '.*' read
Grant access for specific data bag
Create resources
knife data bag create accounts
knife group create databag_accounts_writers
knife acl add group databag_accounts_writers data accounts create,read,update,delete
knife acl remove group users data accounts create,update,delete,grant
Grant access
In my case - I use script for fill databag with data. So I need to grant access for server.
knife group add client ${SERVER_NAME} databag_accounts_writers
Remove self from object own
knife acl remove user ${CHEF_USER} groups databag_accounts_writers read,create,update,delete,grant
knife acl remove user ${CHEF_USER} data accounts read,create,update,delete,grant