Temp client-Node only variable? -> securing private passwords


#1

Hi there,

Is there any possibility to secure private passwords and certs with chef?
I now that chef has encrypted data bags, but every client need a key for
opening the data bags. So I have to copy the key as a file an all nodes.
So I had a key in the filesystem of all nodes which can access all
important passwords in my environment. That¹s not that secure I¹d like.
So I like to write a TCPClient which runs on all nodes an a TCPServer
which runs on a dedicated server. The clients has to authenticate which an
individuell hash and the server send each node only the passwords which
the client node needs. Now I have the problem to store the password
information the node gets from the server, because I don¹t want to save it
in a file.
Is there a possibility to store the passwords only in the ram for the
runtime of chef-client and will be dropped afterwards?

Thanks,

Christian

Am 12.05.14 19:22 schrieb “Bryan McLellan” unter btm@loftninjas.org:

On Mon, May 12, 2014 at 9:44 AM, indra.k@cloudenablers.com wrote:

But my question is Is this possible to run chef-client json attributes
by
passing as a json runtime parameters without creating attributes in a
json file
why am asking is if we want to pass a single attribute we need to
create a json
file and need to pass those just for a single attributes.so only asking
is
there any option in that for running a chef client override attributes
as a
runtime parameters.

https://tickets.opscode.com/browse/CHEF-1918

No, you cannot pass JSON on the command line. CHEF-1918 represents the
feature request.

I think this was originally the design because it would be a bit of a
complicated syntax to type and quote, so it wouldn’t be easy to use,
and making another syntax, e.g. foo=bar, baz[faz][jaz]=stuff, would
also be complicated and probably limiting.

Is the attribute value that you’re trying to pass changing often? Is
it something you could dynamically configure from other information?

If it’s something only a human could provide that always goes into the
same attribute, maybe read it out of an environment variable in a
recipe and run like this:

MY_VALUE=bob chef-client -r recipe[my_thing]

Bryan


#2

Look at either chef-vault or citadel. Both have their advantages and disadvantages, and neither is a particularly good solution. Secrets management is basically not a usefully solved problem at this time, though Barbican is the most promising blip on the horizon at the moment.

–Noah

On May 21, 2014, at 1:25 AM, Christian Fröstl christian.froestl@nubon.com wrote:

Hi there,

Is there any possibility to secure private passwords and certs with chef?
I now that chef has encrypted data bags, but every client need a key for
opening the data bags. So I have to copy the key as a file an all nodes.
So I had a key in the filesystem of all nodes which can access all
important passwords in my environment. That¹s not that secure I¹d like.
So I like to write a TCPClient which runs on all nodes an a TCPServer
which runs on a dedicated server. The clients has to authenticate which an
individuell hash and the server send each node only the passwords which
the client node needs. Now I have the problem to store the password
information the node gets from the server, because I don¹t want to save it
in a file.
Is there a possibility to store the passwords only in the ram for the
runtime of chef-client and will be dropped afterwards?

Thanks,

Christian

Am 12.05.14 19:22 schrieb “Bryan McLellan” unter btm@loftninjas.org:

On Mon, May 12, 2014 at 9:44 AM, indra.k@cloudenablers.com wrote:

But my question is Is this possible to run chef-client json attributes
by
passing as a json runtime parameters without creating attributes in a
json file
why am asking is if we want to pass a single attribute we need to
create a json
file and need to pass those just for a single attributes.so only asking
is
there any option in that for running a chef client override attributes
as a
runtime parameters.

https://tickets.opscode.com/browse/CHEF-1918

No, you cannot pass JSON on the command line. CHEF-1918 represents the
feature request.

I think this was originally the design because it would be a bit of a
complicated syntax to type and quote, so it wouldn’t be easy to use,
and making another syntax, e.g. foo=bar, baz[faz][jaz]=stuff, would
also be complicated and probably limiting.

Is the attribute value that you’re trying to pass changing often? Is
it something you could dynamically configure from other information?

If it’s something only a human could provide that always goes into the
same attribute, maybe read it out of an environment variable in a
recipe and run like this:

MY_VALUE=bob chef-client -r recipe[my_thing]

Bryan