Cheffish stuff

gistfile1.txt

chef_organization orgname do
  validator_client_key_path 
end


with_chef_server 'https://#{server}/organizations/#{orgname}'

chef_group 'new_group' do
  users 'a', 'b'
end

private_key "#{orgname-validator}.pem"
chef_client "#{orgname}-validator" do
  source_key_path .pem
end

chef_group 'noc' do
  
  # create clients
end

[ 
  'https://server1.chef.api.com' => { client_name: 'pivotal', signing_key_filename: '/x/server1_pivotal.pem' },
  'https://server2.chef.api.com' => { client_name: 'pivotal', signing_key_filename: '/x/server2_pivotal.pem' }
].each do |server, options|
  with_chef_server server, options do
    include_recipe "fix_all_the_groups"
  end
end


# 1. If you give someone access to something, it will apply recursively
# This will give noc access to read /containers/data, /data/x, and /data/x/y
chef_acl 'data' do
  rights :read, 'noc'
end
# This will give noc access to read /containers, /containers/admins, etc.
chef_acl 'containers' do
  rights :read, 'noc'
end
# This will give noc create access to /containers/clients, as well as /clients/x
chef_acl 'clients' do
  rights :read, 'noc'
end

# 2. * will *not* change the parent, and only change direct children

# This will give noc read access to individual clients, but not to list clients
chef_acl 'clients/*' do
  rights :read, 'noc'
  # this is recursive false
end

/clients (== /containers/clients) - read == list, create == create child, grant == grant, delete+write are for children
  /clients/x
  /clients/y
  /clients/foo-validator

# 3. ** is redundant but can be used for the top level
# This will give noc read access to every single container, and every single child.
chef_acl '**' do
  rights :read, 'noc'
end
chef_acl 'clients' do
  rights [:read, :write, :update, :delete], 'noc'
end
chef_acl 'nodes' do
  rights [:read, :write, :update, :delete], 'noc'
end

# 2. If you give someone access to ''

Thanks @jkeiser