langston-barrett
commented
9 years ago Possible issue: Distributive currently reads from plain text configs. How would secrets be stored? Vault? Seems complex.
Open langston-barrett opened 9 years ago
langston-barrett
commented
9 years ago Possible issue: Distributive currently reads from plain text configs. How would secrets be stored? Vault? Seems complex.
langston-barrett
commented
9 years ago @LeeLammert What do you think about how the authentication data might be stored?
LeeLammert
commented
9 years ago It is common practice in the Nagios world to have different levels of authority - i.e. a "read only" access level could logically be stored in clear text. Authentication data for responseMatches & responseMatchesInsecure should be kept securely, and we should not rely on good practice to ensure that level of security.
In this case, it would be good to store the credentials in vault.
langston-barrett
commented
9 years ago Yeah, I definitely don't think we should store anything in plain text, even if it is secured via permissions. If someone gets root access to a node or physical access to the disk, they then have access to administration of your cluster. We should wait on the integration of Vault into MI before we get started on this. Pushing it to a long-term feature.
langston-barrett
commented
9 years ago A temporary workaround is to use "commandOutputMatches", provide your regexp, and use curl to pass authentication data.
So that the response from something like Consul can be parsed.