[chef] Re: Re: RE: Handling Passwords with Chef Solo

[Stuart Ellis < >]

On 5 Jun 2010, at 18:09, Erik Kastner wrote:

> I like the approach taken in the 37s "users" cookbook:
> http://github.com/37signals/37s_cookbooks/blob/master/users/attributes/default.rb
> 
> passwords are kept in chef, but as hashed passwords with salts
> (openssl passwd -l)
> 
> Is there a problem storing a new-style mysql password?

Thanks - I'm now specifying the password hash with a custom attribute:

http://github.com/stuartellis/automation/blob/master/chef/site-cookbooks/se/recipes/deployer_user.rb#L27

The MySQL root password is peculiar because the Opscode MySQL recipe requires 
it to be stored unencrypted so that it can be used to run a setup script:

http://github.com/opscode/cookbooks/blob/master/mysql/recipes/server.rb#L98

I think that the real problem was that I hadn't grasped that the node 
configuration file needs to be treated differently to the chef-solo 
configuration file and the cookbooks, and kept out of the repository.

There seems to be a similar issue with SSL - ideally the files need to be 
provided to Chef Solo as it runs, but not kept in repositories, so some kind 
of secure store definitely looks useful.

> On Sat, Jun 5, 2010 at 12:59 PM, Pierre Jacomet 
> <
 >
>  wrote:
>> I like Chef solo a lot. :-). wrt. credentials, what I have done is to use a
>> KVP store which exposes a web service which is script friendly, thus no
>> complicated XML answers. This way the scripts get the password only when
>> they need it and you never need to persist the info into your SCM. If you
>> prefer a pure WS, then you'll need to create a client for it.
>> 
>> There are a couple of issues to deal with thus:
>> 
>> 1) How do you secure access to the KVP store? -- For this you can use 
>> things
>> like firewall rules or keys that are pre-injected into you images to
>> authenticate clients against the KVP store.
>> 
>> 2) You're adding one more service, which means you'll need to manage it. In
>> order to minimize this, make your KVP store use an already existing store?
>> IOW, instead of XML or a WS, say you already have LDAP, maybe you just need
>> a client program that queries LDAP for your credentials and you need to
>> populate properly your LDAP hierarchy.
>> 
>> 
>> 
>>> From: 
>>> 
 
>>> Date: Sat, 5 Jun 2010 10:22:12 +0100
>>> To: 
>>> 
 
>>> Subject: [chef] Handling Passwords with Chef Solo
>>> 
>>> 
>>>> From: Stuart Ellis 
>>>> <
 >
>>>> Date: 5 June 2010 10:13:00 GMT+01:00
>>>> To: 
>>>> 
 
>>>> Subject: [chef] Handling Passwords with Chef Solo
>>>> Reply-To: 
>>>> 
 
>>>> 
>>>> Hello,
>>>> 
>>>> I've just started to use Chef Solo and have been really pleased with it,
>>>> but am curious as to how people are currently managing passwords with it.
>>>> This hasn't been an issue for most things, but I've now built up a fairly
>>>> complete cookbook for a Rails server, and can see that I need to manage 
>>>> the
>>>> MySQL root password and the password for a system account in order to 
>>>> fully
>>>> automate the setup.
>>> 
>>> 
>>> I'm sorry - I ought to have said "handling passwords securely". The
>>> facilities for setting system account and MySQL root passwords work fine,
>>> but I've so far used them by embedded these passwords into the JSON and 
>>> test
>>> cookbook, which feels like the wrong approach.
>>> 
>>> ---
>>> Stuart Ellis
>>> 
 
>>> 
>>> 
>>> 
>>> 
>> 
>> ________________________________
>> Hotmail has tools for the New Busy. Search, chat and e-mail from your 
>> inbox.
>> Learn more.

---
Stuart Ellis