General discussion about Chef

[chef] Is it possible to perform compound searches of encrypted data bags?


Chronological Thread 
  • From: Clif Smith < >
  • To:
  • Subject: [chef] Is it possible to perform compound searches of encrypted data bags?
  • Date: Fri, 8 Nov 2013 15:44:03 -0600
I support numerous applications and am wanting to store the credentials to 
those apps in data bags and then search for them within cookbooks using the 
application and environment so I can reuse the recipe.  For example, for app1 
in the production environment I’d have the following data bag item in the 
users data bag:

When it’s unencrypted:

# knife data bag show users app1up --secret-file=secret.pem
app1:       application
id:         app1up
password:   d093kekv;@x9
production: environment

Note the key/values for environment and app are swapped so they won’t be 
encrypted for searches:

# knife data bag show users app1up
app1:
  cipher:         aes-256-cbc
  encrypted_data: OhQVqYCC+4wFXXyy1HL7dHqJUtdQGpl3TLJWgC2FWCg=

  iv:             3WZrbIjQNRkuW3wr7yjfuA==

  version:        1
id:         app1up
password:
  cipher:         aes-256-cbc
  encrypted_data: 6OZzWcDCdVAUSGhcdZhM8Gzd/OuvoweiMzeeGyHEczI=

  iv:             pkX1LAVWNeukHbEmzzNTpw==

  version:        1
production:
  cipher:         aes-256-cbc
  encrypted_data: r2tqUuPP6wFtX44tOwkURhRHuKP5vggUvgPXJrO42uQ=

  iv:             FyA0plsx6+5EowuNdkiMZw==

  version:        1

While I’m able to search for it without decrypting:

chef > app_creds = search(:users, "app1:* AND production:*")
 => [data_bag_item["users", "app1up", {"id"=>"app1up", 
"app1"=>{"encrypted_data"=>"OhQVqYCC+4wFXXyy1HL7dHqJUtdQGpl3TLJWgC2FWCg=\n", 
"iv"=>"3WZrbIjQNRkuW3wr7yjfuA==\n", "version"=>1, "cipher"=>"aes-256-cbc"}, 
"production"=>{"encrypted_data"=>"r2tqUuPP6wFtX44tOwkURhRHuKP5vggUvgPXJrO42uQ=\n",
 "iv"=>"FyA0plsx6+5EowuNdkiMZw==\n", "version"=>1, "cipher"=>"aes-256-cbc"}, 
"password"=>{"encrypted_data"=>"6OZzWcDCdVAUSGhcdZhM8Gzd/OuvoweiMzeeGyHEczI=\n",
 "iv"=>"pkX1LAVWNeukHbEmzzNTpw==\n", "version"=>1, "cipher"=>"aes-256-cbc"}}]]

I’m unable to search and decrypt it:

chef > app_creds = Chef::EncryptedDataBagItem.load(:users, "app1:* AND 
production:*")
URI::InvalidURIError: bad URI(is not URI?): 
https://chef-dev.spanning.co/data/users/app1:* AND production:*
        from /opt/chef/embedded/lib/ruby/1.9.1/uri/common.rb:176:in `split'
        from /opt/chef/embedded/lib/ruby/1.9.1/uri/common.rb:211:in `parse'
        from /opt/chef/embedded/lib/ruby/1.9.1/uri/common.rb:747:in `parse'
        from 
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.4.4/lib/chef/rest.rb:143:in
 `create_url'
        from 
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.4.4/lib/chef/rest.rb:99:in
 `get'
        from 
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.4.4/lib/chef/data_bag_item.rb:149:in
 `load'
        from 
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.4.4/lib/chef/encrypted_data_bag_item.rb:294:in
 `load'
        from (irb):16
        from 
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.4.4/lib/chef/shell.rb:73:in
 `block in start'
        from 
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.4.4/lib/chef/shell.rb:72:in
 `catch'
        from 
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.4.4/lib/chef/shell.rb:72:in
 `start'
        from 
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.4.4/bin/chef-shell:34:in 
`<top (required)>'
        from /usr/bin/chef-shell:23:in `load'
        from /usr/bin/chef-shell:23:in `<main>'

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail


Archive powered by MHonArc 2.6.16.

§