On Fri, 2018-09-21 at 19:01 +0530, Dileep V Nair wrote: > Hi, > > I have written heartbeat resource agent scripts for Oracle and > Sybase. Both the scripts take user passwords as parameters. Is there > a way to do some encryption for the passwords so that the plain text > passwords are not visible from the primitive also.
One option is to put the password in a (plaintext) file and take the file name as a resource parameter. There's also a (sadly undocumented) optional feature in pacemaker called CIB secrets. If pacemaker is built with ./configure --with- cibsecrets, you can put files under /var/lib/pacemaker/lrm/secrets/<RESOURCE-NAME>/ with the secrets, and they will be loaded from there rather than the CIB. I'm not familiar enough to give any more detail than that. I believe they're enabled in the SUSE packages, so maybe SUSE has some documentation. The topic has been discussed in the past without a better solution being apparent. It would theoretically be possible to require a human- entered password at boot for some sort of password manager daemon to decrypt an encrypted file with sensitive parameters, and have the RA query the daemon for the password as needed. However the daemon becomes a single point of failure (though it could perhaps be managed by the cluster), and the daemon needs to allow root (i.e. the RA) to get any password at will (otherwise, requiring the RA to authenticate itself to the daemon would just reintroduce the problem). > > > Thanks & Regards > > Dileep Nair > Squad Lead - SAP Base > IBM Services for Managed Applications > +91 98450 22258 Mobile > dilen...@in.ibm.com > > IBM Services -- Ken Gaillot <kgail...@redhat.com> _______________________________________________ Users mailing list: Users@clusterlabs.org https://lists.clusterlabs.org/mailman/listinfo/users Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
