[chef] Re: Credentials and encrypted data bags vs. node attributes

[Kevin Bridges < >]

Typically, attributes are set to weak defaults to provide a working installation (easier for examples, testing, etc.). It is a common practice to write a wrapper cookbook that performs your systems implementation of the resources/providers provided by the cookbook.  When you are writing your wrapper cookbook you would pull the relevant data from your encrypted databags.

On Mon, Aug 4, 2014 at 6:56 AM, < " target="_blank"> > wrote:

In the Chef documentation, database passwords are cited as an example of the
type of confidential information that can be stored in an encrypted data bag
item, yet the two database cookbooks I have looked at--mysql and
postgresql--both use node attributes to set the passwords of their respective
equivalents of a "superuser" account ("root" and "postgres").  Is there any
reason that cookbooks involving the setting of privileged credentials shouldn't
enable the use of encrypted data bags for specifying passwords, so that when
passwords are provided in encrypted data bag items, they are not stored as node
attributes? The reason I ask is that storing them as node attributes would
arguably defeat the purpose of using encrypted data bags to some extent because
the passwords could be retrieved as clear text via the knife node edit command.
 I realize that this is done on purpose in the case of postgresql where a
mechanism is required to retrieve randomly generated passwords, but some
consumers of the cookbook may want to specify the password and not have it be
stored as a node attribute.

Any insights on this matter would be appreciated.

Thanks,

John