How can i clear attributes of node with plaintext passwords, after using mysql opscode cookbook?


#1

See:
https://github.com/opscode-cookbooks/mysql readme.md

The following attributes are randomly generated passwords handled in
the|mysql::server|recipe, using the OpenSSL
cookbook’s|secure_password|helper method. These are set using
the|set_unless|node attribute method, which allows them to be easily
overridden e.g. in a role.

  • |node[‘mysql’][‘server_root_password’]|- Set the server’s root password
  • |node[‘mysql’][‘server_repl_password’]|- Set the replication user
    ’repl’ password
  • |node[‘mysql’][‘server_debian_password’]|- Set the debian-sys-maint
    user password

If we can see to be easily overridden e.g. in a role.

Why?

How can i understand this attribute accesseble from any client of chef
server on every node.

This is unsecure, and encrypted data bag’s not help us too. Because if
we store encrypted password in data bags then after this recipe password
will be store in plaintext and acceseble anywhere.

I think that we can undefine this attributes e.g. in a next recipe
included in a run list.

For example:

run list of a node:

  1. Load passwords. There you can use you own code or for exmaple chef-vault
    myowncookbookfor_load_passwords_from_chef_server_encrypted_databags::mysql_server
    #loading databags and setup attributes before run mysql::server

  2. Setup server
    mysql::server

  3. Clear passwords
    myowncookbookfor_clear_passwords::mysql_server, mysql_server.rb:

node[‘mysql’][’‘server_root_password] = ""
node[‘mysql’][’‘server_repl_password] = ""
node[‘mysql’][’'server_debian_password] = “”

How to make it right (clear password in this defined by mysql cookbook
attributes) ?

And maybe i am wrong and there is a better way to do this?


Best regards,

CVision Lab System Administrator
Vladmir Skubriev