The following attributes are randomly generated passwords handled in
the|mysql::server|recipe, using the OpenSSL
cookbook’s|secure_password|helper method. These are set using
the|set_unless|node attribute method, which allows them to be easily
overridden e.g. in a role.
- |node[‘mysql’][‘server_root_password’]|- Set the server’s root password
- |node[‘mysql’][‘server_repl_password’]|- Set the replication user
- |node[‘mysql’][‘server_debian_password’]|- Set the debian-sys-maint
If we can see
to be easily overridden e.g. in a role.
How can i understand this attribute accesseble from any client of chef
server on every node.
This is unsecure, and encrypted data bag’s not help us too. Because if
we store encrypted password in data bags then after this recipe password
will be store in plaintext and acceseble anywhere.
I think that we can undefine this attributes e.g. in a next recipe
included in a run list.
run list of a node:
Load passwords. There you can use you own code or for exmaple chef-vault
#loading databags and setup attributes before run mysql::server
node[‘mysql’][’‘server_root_password] = ""
node[‘mysql’][’‘server_repl_password] = ""
node[‘mysql’][’'server_debian_password] = “”
How to make it right (clear password in this defined by mysql cookbook
And maybe i am wrong and there is a better way to do this?
CVision Lab System Administrator