- From: Christian Fröstl <
>
- To: "
" <
>
- Subject: [chef] temp client-Node only variable? -> securing private passwords
- Date: Wed, 21 May 2014 08:25:03 +0000
- Accept-language: de-DE, en-US
- Authentication-results: spf=none (sender IP is )
;
Hi there,
Is there any possibility to secure private passwords and certs with chef?
I now that chef has encrypted data bags, but every client need a key for
opening the data bags. So I have to copy the key as a file an all nodes.
So I had a key in the filesystem of all nodes which can access all
important passwords in my environment. That¹s not that secure I¹d like.
So I like to write a TCPClient which runs on all nodes an a TCPServer
which runs on a dedicated server. The clients has to authenticate which an
individuell hash and the server send each node only the passwords which
the client node needs. Now I have the problem to store the password
information the node gets from the server, because I don¹t want to save it
in a file.
Is there a possibility to store the passwords only in the ram for the
runtime of chef-client and will be dropped afterwards?
Thanks,
Christian
Am 12.05.14 19:22 schrieb "Bryan McLellan" unter
<
>:
>
On Mon, May 12, 2014 at 9:44 AM,
>
<
>
>
wrote:
>
> But my question is Is this possible to run chef-client json attributes
>
>by
>
> passing as a json runtime parameters without creating attributes in a
>
>json file
>
> why am asking is if we want to pass a single attribute we need to
>
>create a json
>
> file and need to pass those just for a single attributes.so only asking
>
>is
>
> there any option in that for running a chef client override attributes
>
>as a
>
> runtime parameters.
>
>
https://tickets.opscode.com/browse/CHEF-1918
>
>
No, you cannot pass JSON on the command line. CHEF-1918 represents the
>
feature request.
>
>
I think this was originally the design because it would be a bit of a
>
complicated syntax to type and quote, so it wouldn't be easy to use,
>
and making another syntax, e.g. foo=bar, baz[faz][jaz]=stuff, would
>
also be complicated and probably limiting.
>
>
Is the attribute value that you're trying to pass changing often? Is
>
it something you could dynamically configure from other information?
>
>
If it's something only a human could provide that always goes into the
>
same attribute, maybe read it out of an environment variable in a
>
recipe and run like this:
>
>
MY_VALUE=bob chef-client -r recipe[my_thing]
>
>
Bryan
- [chef] temp client-Node only variable? -> securing private passwords, Christian Fröstl, 05/21/2014
Archive powered by MHonArc 2.6.16.