How to prevent chef logging secrets


#1

hi. is there any way around this? a better way to do it all together?

my cookbook sets up a mysql DB. it sets the root password by drawing the
password creds out of an encrypted data bag. that’s great cuz those
secrets are kept secret. but when “assign-root-password” is executed,
chef logs at INFO level the command it’s running, including the
string interpolated value of the password :\

$ knife data bag show secrets --secret-file ~/path/to/secret_key mysql-creds
id: mysql-creds
pass: ehMAHgawd
user: root

recipe:

mysql_creds = Chef::EncryptedDataBagItem.load(“secrets”,“mysql-creds”)

execute “assign-root-password” do
command "#{node[‘mysql’][‘mysqladmin_bin’]} -u root password “#{mysql_creds[‘pass’]}”"
action :run
only_if "#{node[‘mysql’][‘mysql_bin’]} -u root -e ‘show databases;’"
end

logs, le meh:

[Tue, 22 May 2012 04:04:33 +0000] DEBUG: Processing execute[assign-root-password] on mah-host
[Tue, 22 May 2012 04:04:33 +0000] INFO: Processing execute[assign-root-password] action run (okta-mysql::dev-server line 38)
[Tue, 22 May 2012 04:04:33 +0000] DEBUG: sh(/usr/bin/mysql -u root -e ‘show databases;’)
[Tue, 22 May 2012 04:04:34 +0000] INFO: execute[assign-root-password] sh(/usr/bin/mysqladmin -u root password “ehMAHgawd”)
[Tue, 22 May 2012 04:04:34 +0000] INFO: execute[assign-root-password] ran successfully

thanks!
kallen


#2

Hi,

You can increase log level filtering perhaps (i can see it is DEBUG here) and may be you can create a definition for this so it encapsulates the instructions. I am not sure about this but it may encapsulate the action and remove the logs?

Hope this helps.
Vina.

----- Mail original -----
De: kallen@groknaut.net
À: “chef” chef@lists.opscode.com
Envoyé: Mercredi 23 Mai 2012 00:28:21
Objet: [chef] how to prevent chef logging secrets

hi. is there any way around this? a better way to do it all together?

my cookbook sets up a mysql DB. it sets the root password by drawing the
password creds out of an encrypted data bag. that’s great cuz those
secrets are kept secret. but when “assign-root-password” is executed,
chef logs at INFO level the command it’s running, including the
string interpolated value of the password :\

$ knife data bag show secrets --secret-file ~/path/to/secret_key mysql-creds
id: mysql-creds
pass: ehMAHgawd
user: root

recipe:

mysql_creds = Chef::EncryptedDataBagItem.load(“secrets”,“mysql-creds”)

execute “assign-root-password” do
command "#{node[‘mysql’][‘mysqladmin_bin’]} -u root password “#{mysql_creds[‘pass’]}”"
action :run
only_if "#{node[‘mysql’][‘mysql_bin’]} -u root -e ‘show databases;’"
end

logs, le meh:

[Tue, 22 May 2012 04:04:33 +0000] DEBUG: Processing execute[assign-root-password] on mah-host
[Tue, 22 May 2012 04:04:33 +0000] INFO: Processing execute[assign-root-password] action run (okta-mysql::dev-server line 38)
[Tue, 22 May 2012 04:04:33 +0000] DEBUG: sh(/usr/bin/mysql -u root -e ‘show databases;’)
[Tue, 22 May 2012 04:04:34 +0000] INFO: execute[assign-root-password] sh(/usr/bin/mysqladmin -u root password “ehMAHgawd”)
[Tue, 22 May 2012 04:04:34 +0000] INFO: execute[assign-root-password] ran successfully

thanks!
kallen


#3

Hi,

On Tue, May 22, 2012 at 11:28 PM, kallen@groknaut.net wrote:

hi. is there any way around this? a better way to do it all together?

my cookbook sets up a mysql DB. it sets the root password by drawing the
password creds out of an encrypted data bag. that’s great cuz those
secrets are kept secret. but when “assign-root-password” is executed,
chef logs at INFO level the command it’s running, including the
string interpolated value of the password :\

$ knife data bag show secrets --secret-file ~/path/to/secret_key mysql-creds
id: mysql-creds
pass: ehMAHgawd
user: root

recipe:

mysql_creds = Chef::EncryptedDataBagItem.load(“secrets”,“mysql-creds”)

execute “assign-root-password” do
command "#{node[‘mysql’][‘mysqladmin_bin’]} -u root password “#{mysql_creds[‘pass’]}”"
action :run
only_if "#{node[‘mysql’][‘mysql_bin’]} -u root -e ‘show databases;’"
end

logs, le meh:

[Tue, 22 May 2012 04:04:33 +0000] DEBUG: Processing execute[assign-root-password] on mah-host
[Tue, 22 May 2012 04:04:33 +0000] INFO: Processing execute[assign-root-password] action run (okta-mysql::dev-server line 38)
[Tue, 22 May 2012 04:04:33 +0000] DEBUG: sh(/usr/bin/mysql -u root -e ‘show databases;’)
[Tue, 22 May 2012 04:04:34 +0000] INFO: execute[assign-root-password] sh(/usr/bin/mysqladmin -u root password “ehMAHgawd”)
[Tue, 22 May 2012 04:04:34 +0000] INFO: execute[assign-root-password] ran successfully

I think you can’t do much using the execute resource, but for this
particular case, probably you could use the database cookbook with
provides you of some nice resources for manage this kind of stuff:

I believe this resourse doesn’t show the secret data.

I hope this helps.
Cheers


Juanje


#4

thanks for the suggestion. i’m looking at the docs for the database cookbook
and i’m wondering, do the resources and providers assume that the initial
mysql root user password has already been set? if it does, then i have
chicken/egg.

i’m looking to set the password on the root user immediately after having done
mysql_install_db and a block that mimics mysql_secure_installation. (i have to
mimic the latter rather than executing it because it requires interaction).

as to vina’s suggestion to “create a definition for this so it encapsulates
the instructions”, i haven’t yet worked with definitions in chef. i wonder if
that’s the right, or at least viable way to go.

how have other people on the list set an initial password for mysql root user
and not exposed it in logs?

thanks so much,
kallen

On Wed, 23 May 2012, Juanje Ojeda Croissier wrote:

Hi,

On Tue, May 22, 2012 at 11:28 PM, kallen@groknaut.net wrote:

hi. is there any way around this? a better way to do it all together?

my cookbook sets up a mysql DB. it sets the root password by drawing the
password creds out of an encrypted data bag. that’s great cuz those
secrets are kept secret. but when “assign-root-password” is executed,
chef logs at INFO level the command it’s running, including the
string interpolated value of the password :\

$ knife data bag show secrets --secret-file ~/path/to/secret_key mysql-creds
id: mysql-creds
pass: ehMAHgawd
user: root

recipe:

mysql_creds = Chef::EncryptedDataBagItem.load(“secrets”,“mysql-creds”)

execute “assign-root-password” do
command "#{node[‘mysql’][‘mysqladmin_bin’]} -u root password “#{mysql_creds[‘pass’]}”"
action :run
only_if "#{node[‘mysql’][‘mysql_bin’]} -u root -e ‘show databases;’"
end

logs, le meh:

[Tue, 22 May 2012 04:04:33 +0000] DEBUG: Processing execute[assign-root-password] on mah-host
[Tue, 22 May 2012 04:04:33 +0000] INFO: Processing execute[assign-root-password] action run (okta-mysql::dev-server line 38)
[Tue, 22 May 2012 04:04:33 +0000] DEBUG: sh(/usr/bin/mysql -u root -e ‘show databases;’)
[Tue, 22 May 2012 04:04:34 +0000] INFO: execute[assign-root-password] sh(/usr/bin/mysqladmin -u root password “ehMAHgawd”)
[Tue, 22 May 2012 04:04:34 +0000] INFO: execute[assign-root-password] ran successfully

I think you can’t do much using the execute resource, but for this
particular case, probably you could use the database cookbook with
provides you of some nice resources for manage this kind of stuff:
https://github.com/opscode-cookbooks/database#examples

I believe this resourse doesn’t show the secret data.

I hope this helps.
Cheers


Juanje

http://about.me/juanje


#5

I haven’t used this technique in Chef… since I just joined the list and
I’m setting up Chef for the first time…

In the past when I wanted to script setting passwords and not have them
visible I used already encrypted passwords in the command. Login to a
server where you’ve already setup MySQL with the right password and select

  • from users to get the password in the encrypted form that you want to
    set. Then the recipe in Chef needs to be modified so it doesn’t use the
    PASSWORD function. I do the same thing with the shadow encrypted password
    for Linux user accounts and the userPassword field in OpenLDAP.

So the command that Chef should be creating would be something like:

CREATE USER ‘root’@‘localhost’ IDENTIFIED BY
’lkjasdgadsg;afdioewqqwet098098dfgo’

The password has been changed to protect the innocent.

Some flavor of this has worked for me for years using scripts to administer
various UNIX flavors. I would imagine that Chef would work just as well.

On Wed, May 23, 2012 at 1:32 PM, kallen@groknaut.net wrote:

thanks for the suggestion. i’m looking at the docs for the database
cookbook
and i’m wondering, do the resources and providers assume that the initial
mysql root user password has already been set? if it does, then i have
chicken/egg.

i’m looking to set the password on the root user immediately after having
done
mysql_install_db and a block that mimics mysql_secure_installation. (i
have to
mimic the latter rather than executing it because it requires interaction).

as to vina’s suggestion to “create a definition for this so it encapsulates
the instructions”, i haven’t yet worked with definitions in chef. i wonder
if
that’s the right, or at least viable way to go.

how have other people on the list set an initial password for mysql root
user
and not exposed it in logs?

thanks so much,
kallen

On Wed, 23 May 2012, Juanje Ojeda Croissier wrote:

Hi,

On Tue, May 22, 2012 at 11:28 PM, kallen@groknaut.net wrote:

hi. is there any way around this? a better way to do it all together?

my cookbook sets up a mysql DB. it sets the root password by drawing
the

password creds out of an encrypted data bag. that’s great cuz those
secrets are kept secret. but when “assign-root-password” is executed,
chef logs at INFO level the command it’s running, including the
string interpolated value of the password :\

$ knife data bag show secrets --secret-file ~/path/to/secret_key
mysql-creds

id: mysql-creds
pass: ehMAHgawd
user: root

recipe:

mysql_creds = Chef::EncryptedDataBagItem.load(“secrets”,“mysql-creds”)

execute “assign-root-password” do
command “#{node[‘mysql’][‘mysqladmin_bin’]} -u root password
”#{mysql_creds[‘pass’]}""

action :run
only_if "#{node[‘mysql’][‘mysql_bin’]} -u root -e ‘show databases;’"
end

logs, le meh:

[Tue, 22 May 2012 04:04:33 +0000] DEBUG: Processing
execute[assign-root-password] on mah-host

[Tue, 22 May 2012 04:04:33 +0000] INFO: Processing
execute[assign-root-password] action run (okta-mysql::dev-server line 38)

[Tue, 22 May 2012 04:04:33 +0000] DEBUG: sh(/usr/bin/mysql -u root -e
’show databases;’)

[Tue, 22 May 2012 04:04:34 +0000] INFO: execute[assign-root-password]
sh(/usr/bin/mysqladmin -u root password “ehMAHgawd”)

[Tue, 22 May 2012 04:04:34 +0000] INFO: execute[assign-root-password]
ran successfully

I think you can’t do much using the execute resource, but for this
particular case, probably you could use the database cookbook with
provides you of some nice resources for manage this kind of stuff:
https://github.com/opscode-cookbooks/database#examples

I believe this resourse doesn’t show the secret data.

I hope this helps.
Cheers


Juanje

http://about.me/juanje