Chef Server 12.0.7 Released

Hello Chefs,

I’m pleased to announce that Chef Server 12.0.7 is now available. Aside
from some behind-the-scenes build improvements, it has two major updates
over the previous release:

  • The minimum set of Policyfile endpoints necessary to upload a policy
    and run Chef Client is now implemented (though see the caveats below).
  • You can enable strict RBAC checking of search results.

Policyfile Endpoints

This release adds Cookbook Artifact endpoints, as specified in
Chef RFC 022,
and updates the existing Policies endpoint to match the Chef RFC 042
specification. With these implemented, it is possible to upload policies
from ChefDK and run Chef Client in policyfile “native API” (i.e. no
crazy hacks) mode. Despite this progress, we have not yet completed the
migration code that will enable these endpoints on existing Chef
Servers, so to use these APIs you will need to run a fresh install of
Chef Server and enable the feature with this bit of configuration in
your /etc/opscode/chef-server.rb (you need to run
chef-server-ctl reconfigure to make it take effect):

lb["xdl_defaults"]["policies"] = true

We’ve already written and completed initial testing of the upgrade code
to enable this feature on existing Chef Servers, so if you’d prefer to
upgrade in-place, you will be able to do so in a forthcoming release. To
learn more about the Policyfile feature, see the comprehensive README
and Chef RFCs 022 and 042.

Note that you will need Chef Client 12.2.0 or greater and ChefDK 0.5.0
or greater when using these APIs.

Strict Search RBAC Checking

Prior to this release, Chef Server only performed cursory ACL checking
when using the search API, which would allow a user with access to the
search function to read any objects in the system, even if the user
otherwise did not have read access to those individual objects. With
this release, you can now enable strict ACL checking for all objects
returned from search. This change could be breaking for some users, so
to enable it, you must add the following configuration
opscode_erchef['strict_search_result_acls'] to your chef-server.rb
configuration file. This setting will be the default in the next major
release (i.e., Chef Server 13).

Note that this feature has not undergone strenuous performance testing,
so be careful when enabling it in very large environments.


As always, the Chef Server packages may be obtained from
our downloads page.

See you at ChefConf!

Dan DeLeo