[chef] Re: temp client-Node only variable? -> securing private passwords

[Noah Kantrowitz < >]

Look at either chef-vault or citadel. Both have their advantages and 
disadvantages, and neither is a particularly good solution. Secrets 
management is basically not a usefully solved problem at this time, though 
Barbican is the most promising blip on the horizon at the moment.

--Noah

On May 21, 2014, at 1:25 AM, Christian Fröstl 
<
 >
 wrote:

> Hi there,
> 
> Is there any possibility to secure private passwords and certs with chef?
> I now that chef has encrypted data bags, but every client need a key for
> opening the data bags. So I have to copy the key as a file an all nodes.
> So I had a key in the filesystem of all nodes which can access all
> important passwords in my environment. That¹s not that secure I¹d like.
> So I like to write a TCPClient which runs on all nodes an a TCPServer
> which runs on a dedicated server. The clients has to authenticate which an
> individuell hash and the server send each node only the passwords which
> the client node needs. Now I have the problem to store the password
> information the node gets from the server, because I don¹t want to save it
> in a file.
> Is there a possibility to store the passwords only in the ram for the
> runtime of chef-client and will be dropped afterwards?
> 
> Thanks,
> 
> Christian
> 
> 
> Am 12.05.14 19:22 schrieb "Bryan McLellan" unter 
> <
 >:
> 
>> On Mon, May 12, 2014 at 9:44 AM,  
>> <
 >
>>  wrote:
>>> But my question is Is this possible to run chef-client json attributes
>>> by
>>> passing as a json runtime parameters without creating attributes in a
>>> json file
>>> why am asking is if we want to pass a single attribute we need to
>>> create a json
>>> file and need to pass those just for a single attributes.so only asking
>>> is
>>> there any option in that for running a chef client override attributes
>>> as a
>>> runtime parameters.
>> 
>> https://tickets.opscode.com/browse/CHEF-1918
>> 
>> No, you cannot pass JSON on the command line. CHEF-1918 represents the
>> feature request.
>> 
>> I think this was originally the design because it would be a bit of a
>> complicated syntax to type and quote, so it wouldn't be easy to use,
>> and making another syntax, e.g. foo=bar, baz[faz][jaz]=stuff, would
>> also be complicated and probably limiting.
>> 
>> Is the attribute value that you're trying to pass changing often? Is
>> it something you could dynamically configure from other information?
>> 
>> If it's something only a human could provide that always goes into the
>> same attribute, maybe read it out of an environment variable in a
>> recipe and run like this:
>> 
>> MY_VALUE=bob chef-client -r recipe[my_thing]
>> 
>> Bryan
>

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail