- From: Erik Kastner <
>
- To:
- Subject: [chef] Re: RE: Handling Passwords with Chef Solo
- Date: Sat, 5 Jun 2010 13:09:16 -0400
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=DxXV/404Mf25keH/FD9Xpm5cBM5BkVO10aD+2DM2qGBSqtIbMJo4053nzGwEo0jWo1 g8VLSqb9cuMJmgUbltbBnVyOsn2cvNj2zEXDiaO9xkCLV73pzhvROKl1F+8/qlWPZPbu FjbAQqfjW/O6gG0UpW7q8cvZqY4cTNW/di2dQ=
I like the approach taken in the 37s "users" cookbook:
http://github.com/37signals/37s_cookbooks/blob/master/users/attributes/default.rb
passwords are kept in chef, but as hashed passwords with salts
(openssl passwd -l)
Is there a problem storing a new-style mysql password?
On Sat, Jun 5, 2010 at 12:59 PM, Pierre Jacomet
<
>
wrote:
>
I like Chef solo a lot. :-). wrt. credentials, what I have done is to use a
>
KVP store which exposes a web service which is script friendly, thus no
>
complicated XML answers. This way the scripts get the password only when
>
they need it and you never need to persist the info into your SCM. If you
>
prefer a pure WS, then you'll need to create a client for it.
>
>
There are a couple of issues to deal with thus:
>
>
1) How do you secure access to the KVP store? -- For this you can use things
>
like firewall rules or keys that are pre-injected into you images to
>
authenticate clients against the KVP store.
>
>
2) You're adding one more service, which means you'll need to manage it. In
>
order to minimize this, make your KVP store use an already existing store?
>
IOW, instead of XML or a WS, say you already have LDAP, maybe you just need
>
a client program that queries LDAP for your credentials and you need to
>
populate properly your LDAP hierarchy.
>
>
>
>
> From:
>
>
>
> Date: Sat, 5 Jun 2010 10:22:12 +0100
>
> To:
>
>
>
> Subject: [chef] Handling Passwords with Chef Solo
>
>
>
>
>
> > From: Stuart Ellis
>
> > <
>
>
> > Date: 5 June 2010 10:13:00 GMT+01:00
>
> > To:
>
> >
>
> > Subject: [chef] Handling Passwords with Chef Solo
>
> > Reply-To:
>
> >
>
> >
>
> > Hello,
>
> >
>
> > I've just started to use Chef Solo and have been really pleased with it,
>
> > but am curious as to how people are currently managing passwords with it.
>
> > This hasn't been an issue for most things, but I've now built up a fairly
>
> > complete cookbook for a Rails server, and can see that I need to manage
>
> > the
>
> > MySQL root password and the password for a system account in order to
>
> > fully
>
> > automate the setup.
>
>
>
>
>
> I'm sorry - I ought to have said "handling passwords securely". The
>
> facilities for setting system account and MySQL root passwords work fine,
>
> but I've so far used them by embedded these passwords into the JSON and
>
> test
>
> cookbook, which feels like the wrong approach.
>
>
>
> ---
>
> Stuart Ellis
>
>
>
>
>
>
>
>
>
>
>
>
________________________________
>
Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox.
>
Learn more.
Archive powered by MHonArc 2.6.16.