Re: Private data in manifests (was: Re: [Puppet Users] Using Git to distribute Puppet configs)

Fri, 29 Jan 2010 09:02:42 -0800 

Eric Gerlach wrote:


On Wed, Jan 27, 2010 at 05:59:27PM +0100, Thomas Bellman wrote:



Don't put passwords and private keys in your manifests.



Would you call this a general rule?  If so, what's the best practice for
setting passwords and private keys?


Yes, I think that is a very good general rule.

I would recommend putting private keys and similar stuff in a separate
fileserver section, preferably one that is client specific, i.e. where
you have %H in the path:

    [private]
        path    /config/private/%h
        allow   *

and copy files from there with something like:

    file {
        "/etc/ssh/ssh_host_rsa_key":
            source => "puppet:///private/sshkeys/ssh_host_rsa_key";
    }

If it's not practical to manage the entire file, for example if you just
want to set the password of a particular user, then you can grab that
data on the Puppet master using the file() or template() function, or a
custom function pulling the string from some kind of structured file or
database.  Something like:

    define user_password()
    {
        $password = file("/config/user-passwords/$name")
        user {
            $name:
                password => $password;
        }
    }

might do the trick.


There are a couple of advantages to keep that kind of data out of the
manifests.  One is that you don't "contaminate" non-sensitive information
(your configuration) with sensitive data.  Even if you don't plan on
showing your manifests to the public, you might someday want to get help
from external people.  If passwords and private keys are kept separate,
you don't need to go through your manifests and censor them before showing
them to the helpers.

Also, if you have a testing/development system, you probably don't want
the same passwords and keys on that as you do on the production system.
Moving new manifests from testing to development becomes easier if you
don't have to change passwords and keys in them at the same time.

Secondly, in my experience it doesn't make much sense to track keys in
the same VCS repository as configuration.  If you suddenly decide that
you need to revert your configuration to what it was two weeks ago, do
you really want to revert, e.g., ssh host keys at the same time?


        /Bellman

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.























					Reply via email to