- From: Noah Kantrowitz <
>
- To:
- Subject: [chef] Re: temp client-Node only variable? -> securing private passwords
- Date: Wed, 21 May 2014 01:28:48 -0700
Look at either chef-vault or citadel. Both have their advantages and
disadvantages, and neither is a particularly good solution. Secrets
management is basically not a usefully solved problem at this time, though
Barbican is the most promising blip on the horizon at the moment.
--Noah
On May 21, 2014, at 1:25 AM, Christian Fröstl
<
>
wrote:
>
Hi there,
>
>
Is there any possibility to secure private passwords and certs with chef?
>
I now that chef has encrypted data bags, but every client need a key for
>
opening the data bags. So I have to copy the key as a file an all nodes.
>
So I had a key in the filesystem of all nodes which can access all
>
important passwords in my environment. That¹s not that secure I¹d like.
>
So I like to write a TCPClient which runs on all nodes an a TCPServer
>
which runs on a dedicated server. The clients has to authenticate which an
>
individuell hash and the server send each node only the passwords which
>
the client node needs. Now I have the problem to store the password
>
information the node gets from the server, because I don¹t want to save it
>
in a file.
>
Is there a possibility to store the passwords only in the ram for the
>
runtime of chef-client and will be dropped afterwards?
>
>
Thanks,
>
>
Christian
>
>
>
Am 12.05.14 19:22 schrieb "Bryan McLellan" unter
>
<
>:
>
>
> On Mon, May 12, 2014 at 9:44 AM,
>
> <
>
>
> wrote:
>
>> But my question is Is this possible to run chef-client json attributes
>
>> by
>
>> passing as a json runtime parameters without creating attributes in a
>
>> json file
>
>> why am asking is if we want to pass a single attribute we need to
>
>> create a json
>
>> file and need to pass those just for a single attributes.so only asking
>
>> is
>
>> there any option in that for running a chef client override attributes
>
>> as a
>
>> runtime parameters.
>
>
>
> https://tickets.opscode.com/browse/CHEF-1918
>
>
>
> No, you cannot pass JSON on the command line. CHEF-1918 represents the
>
> feature request.
>
>
>
> I think this was originally the design because it would be a bit of a
>
> complicated syntax to type and quote, so it wouldn't be easy to use,
>
> and making another syntax, e.g. foo=bar, baz[faz][jaz]=stuff, would
>
> also be complicated and probably limiting.
>
>
>
> Is the attribute value that you're trying to pass changing often? Is
>
> it something you could dynamically configure from other information?
>
>
>
> If it's something only a human could provide that always goes into the
>
> same attribute, maybe read it out of an environment variable in a
>
> recipe and run like this:
>
>
>
> MY_VALUE=bob chef-client -r recipe[my_thing]
>
>
>
> Bryan
>
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
Archive powered by MHonArc 2.6.16.