Providing fine-grained access to Puppet control repositories using Perforce Helix

Puppet Enterprise has an amazing set of code management capabilities to help you manage your Puppet code from keyboard to production. Code Management fetches Puppet code (Hiera data, role assignments, and Puppet modules) from a version control repository known as the control repo, and creates environments for each branch in the control repo. It then uses the data in each branch to know which Puppet modules and Hiera data need to go in each environment.

As great as Code Management is, the growing interest in using Puppet to manage systems also brings an interest in the owners of those systems being able to control access, specifically things like configuration files and Hiera data. While Puppet administrators are happy to relieve themselves of continuous updates to the data, they don’t necessarily want to let users modify or even see the Puppet code. They don’t want to give away the keys to the kingdom. Traditional version control solutions offer an all-or-nothing approach to the repo: Either you have access or you don’t, but access control to specific directories or even files is difficult to accomplish.

Perforce Helix is a version control system that excels at access control, among other things. It provides fine-grained access control in which the administrator grants access to specific depots, directories and files. Using Puppet Enterprise and Perforce Helix together enables a Puppet administrator team to provide self-service access to application development teams while protecting the infrastructure data and configuration from those who shouldn’t have access.

Let’s say we have a group of application developers in charge of the company’s WidgetApp.They want Puppet to configure the underlying application server (e.g., Java heap size, etc.) as well as application-specific configuration files. The developers would like to employ an agile continuous integration / continuous deployment model to constantly push updates to their application, without having to ask a Puppet administrator to make changes for them. The Perforce Helix administrator simply needs to give the developer team the necessary access to create new branches for development environments in Puppet, while limiting what the developers can view and modify to just their own application’s data in production.

Application administrators can just use Git as they always have, thanks to Perforce’s Git Fusion. They’re allowed to see and modify only the parts of the Puppet infrastructure they have permission for, enabling self service, continuous delivery and deployments, and a more focused systems operations team, while keeping sensitive information secure.

To learn how to set up Perforce Helix and Puppet Enterprise together, download the white paper.

Alan Petersen has worked in consulting services for several firms, providing software configuration and management assistance to many companies. He is passionate about configuration management and making system administrators’ lives easier.

Learn more:

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.