On Wednesday, August 28, 2013 4:57:36 AM UTC-5, Luca Gioppo wrote: > > It seems a very clever approach!!! > If it works could be the approach for not having dependency. > I do not agree that the two module are dependend, they just depend on the > same data, but given the data should be able to work on their own. > This problem is also mine in trying to design modules that do not require > people to have knowledge of other modules. > >
At minimum, modules that depend on the same hiera key are coupled via that key. I choose to consider that a form of dependency, but you can certainly take a narrower view of that term if you wish. The fact remains that even if module authors are not aware of such coupling, module *users* need to be. Moreover, although module authors may not be aware of other modules depending on the same data, they do need to be mindful which data are shared, for those belong to the overall site, not to any individual module. The technique can certainly be useful and appropriate, but like any other technique, you need to understand the implications of what you do with it. > This approach enables to place all possible common data in the external > file and using hiera to decouple the stuff. > So on the module usage description people will just be asked to set the > files accordingly and the possible common data is referenced by hiera. > > could the data be protected in some way? just not to have maby common > password written in clear? > > Hiera supports pluggable back-ends, and there are some available that provide for encrypted storage of the data. I am inclined to think, however, that it is sufficient for most sites to limit access to the Puppetmaster and rely on appropriate access controls for the data files. In fact, no encryption solution can do more than slow a knowledgeable and determined assailant attempting to obtaining data that the master itself can decrypt, for in the end there has to be a cleartext encryption key or comparable credential that Puppet can read. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
