In the Chef documentation, database passwords are cited as an example of the
type of confidential information that can be stored in an encrypted data bag
item, yet the two database cookbooks I have looked at--mysql and
postgresql--both use node attributes to set the passwords of their respective
equivalents of a "superuser" account ("root" and "postgres"). Is there any
reason that cookbooks involving the setting of privileged credentials shouldn't
enable the use of encrypted data bags for specifying passwords, so that when
passwords are provided in encrypted data bag items, they are not stored as node
attributes? The reason I ask is that storing them as node attributes would
arguably defeat the purpose of using encrypted data bags to some extent because
the passwords could be retrieved as clear text via the knife node edit command.
I realize that this is done on purpose in the case of postgresql where a
mechanism is required to retrieve randomly generated passwords, but some
consumers of the cookbook may want to specify the password and not have it be
stored as a node attribute.
Any insights on this matter would be appreciated.
Thanks,
John
Archive powered by MHonArc 2.6.16.