Chef attributes versus data bags

Question

I'm new to Chef, and after reading the documentation I'm still having trouble understanding when to use Attributes and when to use Data bags.

What kind of data should be stored as attributes, and what kind of data should be stored in data bags ?

Thanks

Answer 1

Well, it depends. Although data bags and attributes both hold data, the major difference between them is that attributes are exposed as node properties when recipe is run, but you don't have any clear overview what data bags were used (Except that you go through the recipes in run list).

What I personally store in attributes are:

• Paths where something (files, programs) is installed, created
• Software Versions
• Urls, ports (to download from, servers listen on etc.)
• Usernames

And in data bags:

• Everything that cannot be exposed - in encrypted data bags (private keys, passwords)
• user properties (name, shell, password hashes, public key, comment etc.)
• Some other configurations, that are more like objects, but not simple string or number data, and that is not important to the node itself.

About the last point: An example is maven repositories list. Repository has properties: name, url, policy etc. And it is not important for node what repositories are configured - important is that it have maven installed. Another example is user, only available usernames are in the attributes. All the other data is in data bag, although it can be exposed - no secret data there.

Answer 2

Of course this is one of those things where there isn't an easy answer. My rule of thumb is that anything that is one thing of many belongs in a data bag. For example if you have a list of users and groups that you want to create on a node using fnichol's users cookbook then that's a data bag. For tweaking parameters on a MySQL server then it's attributes.