[chef] How can i clear attributes of node with plaintext passwords, after using mysql opscode cookbook ?

[Vladimir Skubriev < >]

See:
https://github.com/opscode-cookbooks/mysql readme.md

The following attributes are randomly generated passwords handled in the mysql::server recipe, using the OpenSSL cookbook's secure_password helper method. These are set using the set_unless node attribute method, which allows them to be easily overridden e.g. in a role.

• node['mysql']['server_root_password'] - Set the server's root password
• node['mysql']['server_repl_password'] - Set the replication user 'repl' password
• node['mysql']['server_debian_password'] - Set the debian-sys-maint user password

If we can see ` to be easily overridden e.g. in a role.`

Why?

How can i understand this attribute accesseble from any client of chef server on every node.

This is unsecure, and encrypted data bag's not help us too. Because if we store encrypted password in data bags then after this recipe password will be store in plaintext and acceseble anywhere.

I think that we can undefine this attributes e.g. in a next recipe included in a run list.

For example:

run list of a node:

1. Load passwords. There you can use you own code or for exmaple chef-vault
myowncookbookfor_load_passwords_from_chef_server_encrypted_databags::mysql_server
#loading databags and setup attributes before run mysql::server

2. Setup server
mysql::server

3. Clear passwords
myowncookbookfor_clear_passwords::mysql_server, mysql_server.rb:

node['mysql'][''server_root_password] = ""
node['mysql'][''server_repl_password] = ""
node['mysql'][''server_debian_password] = ""

How to make it right (clear password in this defined by mysql cookbook attributes) ?

And maybe i am wrong and there is a better way to do this?

-- 
Best regards,

CVision Lab System Administrator
Vladmir Skubriev