On Mon, Jan 31, 2011 at 3:05 AM, Pieter Baele <pieter.ba...@gmail.com> wrote: > I would like to delegate access to puppet to other teams in our company. > > It has to be possible for them to: > - create new recipes > - doing some sort of check if their recipes / templates work. > > How should I do this without giving other teams the ability to create havoc?
As others have said, this is pretty easy to do with environments and modulepaths. You should be able to implement whatever access control your version control system has such that only authorized people can commit to various locations. There are a few gotchas. * Pluginsync will sync all plugins from a given modulepath. For facts, these will all execute. If you have a particularly locked down environment, you may want to implement pre-commit hooks to restrict plugins to a single location that is tightly curated. * It is possible to inherit from a class (or use the 'spaceship' operator) and override resource declarations. This may not be what you want, and currently pre-commit hooks are the only real way to prevent this (other than tight curation of approvals). http://projects.puppetlabs.com/issues/4627 may be of interest to you. I've suggested the idea of being able to disable resources from being overriden, e.g. final class foo { ... } and any resources declared within foo would not be able to be overridden by any means. In any case it sounds like you want some pre-commit hooks to run --parseonly on the manifests to check they parse, and you're going to want to split up the modulepaths such that different groups have different permissions. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
