Re: [Puppet Users] Pasword retrievel from external source on node

[Thomas Müller]

Am Donnerstag, 10. März 2016 17:01:36 UTC+1 schrieb Craig Dunn:
>
>
>
> On Thu, Mar 10, 2016 at 3:09 PM, Thomas Müller  > wrote:
>
>> I'm too interested in how people manage credentials without having it in 
>> the catalog.
>>
>
> The problem as I see it is that there isn't a blanket approach.  If you 
> need a secret value in a template, that template is already compiled into 
> the catalog before the agent receives it, and there are numerous ways to 
> get a file on a system.  One idea would be a kind of "eyaml in reverse" 
> approach, where files could be deployed with inline encrypted data, and 
> then a type and provider to do a pattern substitution on the file on the 
> agent using local keys.   
>
> But the problem isn't just files - what about, for example, exec commands 
> that need to use a secret in the command line?  file_line resources? 
> augeas? - theres a whole host of places the data might end up. 
>

> I think the bigger issue to address would be why are your catalogs not 
> considered a safe place to have this data? Access to the catalog should be 
> at the same level of trust as root access to the agent.
>
>
As Trevor pointed out its about where do the credentials get logged and 
saved (Foreman, PuppetDB, Syslog, ...)

Another problem arises if you have to integrate with systems/services not 
managed by puppet. 

Or if you have compliance policys to work with.  Like (oversimplified): 
"credentials MUST only be saved in tool xy with fancy hardware crypto and 
on the target system". This leads to the requirement to have something on 
the client side which handles the retrieval of the credentials. So it can 
be ensured that only the tool xy and the target system know about the 
credential.

- Thomas 


 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/36ce2dab-b799-4b20-bf43-e40ba4afaa6b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Pasword retrievel from external source on node

[Trevor Vaughan]

One of the main issues is ensuring that the sensitive contents of the
catalog do not make their way back into PuppetDB, Foreman, etc

I've been toying with the idea of adding a special, non-translated function
to Puppet core that will provide direction for the agent itself to reach
out to a 'trusted' data source regardless of placement in the catalog.

Essentially, this would be a special string, combined with some sort of
metaparameter that alters the catalog content on the fly.

It should absolutely be doable and the Conjur FOSS codebase is close to
there but doesn't quite hit the mark across the board for what I would like.

If anyone would like to start this, I'd be more than happy to help
contribute when I have time. Otherwise, I'll just hack at it when I get the
chance.

Thanks,

Trevor

On Thu, Mar 10, 2016 at 11:01 AM, Craig Dunn  wrote:

>
>
> On Thu, Mar 10, 2016 at 3:09 PM, Thomas Müller 
> wrote:
>
>> I'm too interested in how people manage credentials without having it in
>> the catalog.
>>
>
> The problem as I see it is that there isn't a blanket approach.  If you
> need a secret value in a template, that template is already compiled into
> the catalog before the agent receives it, and there are numerous ways to
> get a file on a system.  One idea would be a kind of "eyaml in reverse"
> approach, where files could be deployed with inline encrypted data, and
> then a type and provider to do a pattern substitution on the file on the
> agent using local keys.
>
> But the problem isn't just files - what about, for example, exec commands
> that need to use a secret in the command line?  file_line resources?
> augeas? - theres a whole host of places the data might end up.
>
> I think the bigger issue to address would be why are your catalogs not
> considered a safe place to have this data? Access to the catalog should be
> at the same level of trust as root access to the agent.
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CACxdKhGrdrciDbSnPNAnGSjfspNP7azB%2BvMofR057dODZ9VL2A%40mail.gmail.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699

-- This account not approved for unencrypted proprietary information --

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CANs%2BFoUwF3AOLt8nxaMsBKSG-dbn_f_8vD9iHyct0dtqn8304Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Pasword retrievel from external source on node

[Craig Dunn]

On Thu, Mar 10, 2016 at 3:09 PM, Thomas Müller 
wrote:

> I'm too interested in how people manage credentials without having it in
> the catalog.
>

The problem as I see it is that there isn't a blanket approach.  If you
need a secret value in a template, that template is already compiled into
the catalog before the agent receives it, and there are numerous ways to
get a file on a system.  One idea would be a kind of "eyaml in reverse"
approach, where files could be deployed with inline encrypted data, and
then a type and provider to do a pattern substitution on the file on the
agent using local keys.

But the problem isn't just files - what about, for example, exec commands
that need to use a secret in the command line?  file_line resources?
augeas? - theres a whole host of places the data might end up.

I think the bigger issue to address would be why are your catalogs not
considered a safe place to have this data? Access to the catalog should be
at the same level of trust as root access to the agent.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACxdKhGrdrciDbSnPNAnGSjfspNP7azB%2BvMofR057dODZ9VL2A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

RE: [Puppet Users] Pasword retrievel from external source on node

[Thomas Müller]

I'm too interested in how people manage credentials without having it in the 
catalog.

Recently i stumbled upon a puppetlabs blogpost about conjur. There is also a 
video of a presentation at puppetconf 2015 about this. 

Managing credentials out of band ("out of puppet") seems like a good way to 
solve the catalog problem. 

Thomas

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/47b0c10a-9efe-4c48-9f48-0b663843e2ea%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

RE: [Puppet Users] Pasword retrievel from external source on node

[Johan De Wit]

Hi Craig, 



They are still stored unencrypted in the catalog, which is an issue for us.

Security is a high priority in this case



grts



Johan



-Original message-
From: Craig Dunn <cr...@craigdunn.org>
Sent: Thursday 10th March 2016 12:38
To: puppet-users@googlegroups.com
Subject: Re: [Puppet Users] Pasword retrievel from external source on node



On Thu, Mar 10, 2016 at 12:05 PM, Johan De Wit <jo...@open-future.be 
<mailto:jo...@open-future.be> > wrote:
 

Hi, 

Anyone playing with the idea to manage passwords on the node by retrieving them 
from an externa source like cyberark ?

The idea is to avoid storing passwords in some 'human readable' form in eg. 
hiera, manifests, catalogs, puppetdb ..
Main concern is security.


Why can't you store them in hiera using hiera-eyaml?, which is what most people 
do - so they are stored inline with the rest of your configuration but are 
encrypted.  If you want to go the extra mile you could use Vault, there is also 
a hiera-vault backend, though I've not got first hand experience of that. 

Craig

 



-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com 
<mailto:puppet-users+unsubscr...@googlegroups.com> .
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACxdKhF0Fk6yz%3D3Aw--VFA_DBJ1wGr0Mmfd14SezXUErn4XZNA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/zarafa.56e162ca.2418.53ee945d2e3ac275%40zarafa.open-future.be.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Pasword retrievel from external source on node

[Craig Dunn]

On Thu, Mar 10, 2016 at 12:05 PM, Johan De Wit  wrote:

> Hi,
>
> Anyone playing with the idea to manage passwords on the node by retrieving 
> them from an externa source like cyberark ?
>
> The idea is to avoid storing passwords in some 'human readable' form in eg. 
> hiera, manifests, catalogs, puppetdb ..
> Main concern is security.
>
>
Why can't you store them in hiera using hiera-eyaml?, which is what most
people do - so they are stored inline with the rest of your configuration
but are encrypted.  If you want to go the extra mile you could use Vault,
there is also a hiera-vault backend, though I've not got first hand
experience of that.

Craig

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CACxdKhF0Fk6yz%3D3Aw--VFA_DBJ1wGr0Mmfd14SezXUErn4XZNA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.