Ask Your Question
1

Issue with handling sensitive data (passwords) using Puppet and Hiera-Eyaml.

asked 2017-05-10 10:38:11 -0500

loureiro gravatar image

Hi guys,

I am testing Hiera-Eyaml for encrypting the passwords for the users in our Cassandra databases.
Encrypting the passwords in the eyaml files and passing the Hiera data to the testing nodes works fine.

My module runs an exec statement, that basically performs an "alter user <user> with password <password>" in Cassandra, <password> being the Eyaml encrypted string being passed from Hiera.

Problem arises when I run a "puppet agent -t --debug" from the agent nodes, as it shows the passwords in plain text... is there any way of preventing this master-side? I read about the show_diff metaparameter but it only applies to file resources.

Thanks.

edit retag flag offensive close merge delete

Comments

1

This module might do what you are trying to do: https://raw.githubusercontent.com/openstack/puppet-keystone/master/manifests/init.pp Take a look at how they implement a "secret" tag in their resource type. keystone_config { 'DEFAULT/admin_token': value => $admin_token, secret => true;

Red Cricket gravatar imageRed Cricket ( 2017-05-11 02:19:25 -0500 )edit
1

That module is passing the value into a custom type/provider. The problem is that the OP is trying to only use an 'exec' resource, which is shown during debugging. There are no parameters to suppress exec output https://docs.puppet.com/puppet/latest/types/exec.html#exec-attributes

DarylW gravatar imageDarylW ( 2017-05-11 07:53:28 -0500 )edit
1

However, one potential way to work 'around' this if you don't want the complexity of a type/provider is to create a script on disk that contains the command, and run that with the exec. However, you then have a file on disk with the plaintext password in it. (can be root/root/400, but still)

DarylW gravatar imageDarylW ( 2017-05-11 07:54:28 -0500 )edit
1

Also, which module are you using for Cassandra?

DarylW gravatar imageDarylW ( 2017-05-11 07:55:54 -0500 )edit

Yeah, generating a script on disk with the password in plain text, could work in some situations but well, definitely not the best workaround possible. I'm using this module from Puppet Forge, with some modifications to the cassandra::schema::user.pp manifest: https://forge.puppet.com/locp/cassandra

loureiro gravatar imageloureiro ( 2017-05-12 04:33:24 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2017-05-15 03:57:12 -0500

loureiro gravatar image

Is there any way of preventing a exec statement from outputing stuff in plain text?

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-05-10 10:38:11 -0500

Seen: 136 times

Last updated: May 15