Attributes for passwords?


#1

What are the general thoughts on using attributes (properties) for passwords. If password attributes are stored in the central Chef Server any Chef client/node can potentially query the password attributes of another node on the network. Right?

Are other people storing passwords for things like database connection strings in attributes? Is there anything in the pipe that would protect nodes from reading each others password attributes? Perhaps a mask function to secure a subset of attributes so that nodes would only be able to query each others non-secure attributes.

Dan


#2

We don’t have a great solution for that yet.

The basic infrastructure is in place–client connections are signed
with a private key that is (in practice) unique to the node. So it
should be possible to run that backwards and encrypt a string with the
public key so only the node could read it. We don’t have any plans
right now to implement such a thing, so someone would need to
contribute it.

Dan DeLeo

On Mon, May 10, 2010 at 1:00 PM, Dan Prince dan.prince@rackspace.com wrote:

What are the general thoughts on using attributes (properties) for passwords. If password attributes are stored in the central Chef Server any Chef client/node can potentially query the password attributes of another node on the network. Right?

Are other people storing passwords for things like database connection strings in attributes? Is there anything in the pipe that would protect nodes from reading each others password attributes? Perhaps a mask function to secure a subset of attributes so that nodes would only be able to query each others non-secure attributes.

Dan


#3

Thanks for your reply Dan.

I’ll talk this over with some of our guys and perhaps enter a feature ticket for something along these lines.

Regards,

Dan

-----Original Message-----
From: “Daniel DeLeo” dan@kallistec.com
Sent: Monday, May 10, 2010 11:52pm
To: chef@lists.opscode.com
Subject: [chef] Re: attributes for passwords?

We don’t have a great solution for that yet.

The basic infrastructure is in place–client connections are signed
with a private key that is (in practice) unique to the node. So it
should be possible to run that backwards and encrypt a string with the
public key so only the node could read it. We don’t have any plans
right now to implement such a thing, so someone would need to
contribute it.

Dan DeLeo

On Mon, May 10, 2010 at 1:00 PM, Dan Prince dan.prince@rackspace.com wrote:

What are the general thoughts on using attributes (properties) for passwords. If password attributes are stored in the central Chef Server any Chef client/node can potentially query the password attributes of another node on the network. Right?

Are other people storing passwords for things like database connection strings in attributes? Is there anything in the pipe that would protect nodes from reading each others password attributes? Perhaps a mask function to secure a subset of attributes so that nodes would only be able to query each others non-secure attributes.

Dan