search

criteo-cookbooks / rundeck-server

Apache License 2.0
3 stars 15 forks source link

Sensitive information in attributes #33

Closed isuftin closed 8 years ago

isuftin commented 8 years ago

I've created a wrapper cookbook that allows me to place sensitive information into encrypted data bags instead of into node attributes visible to anyone.

The wrapper cookbook looks something like this:

databag_name = node['caws-rundeck']['data_bag_config']['bag_name']
databag_users_item = node['caws-rundeck']['data_bag_config']['users_bag_item']
databag_passwords_item = node['caws-rundeck']['data_bag_config']['passwords_bag_item']
framework_server_password_attribute = node['caws-rundeck']['data_bag_config']['framework_server_password_attribute']
mysql_server_password_attribute = node['caws-rundeck']['data_bag_config']['mysql_server_password_attribute']
rundeck_encryption_password_attribute = node['caws-rundeck']['data_bag_config']['encryption_password_attribute']

# Check if the data bag for secrets exists in the first place
if Chef::DataBag.list.key?(databag_name)

  # Check if the data bag item exists
  if search(databag_name, "id:#{databag_users_item}").any?
    users = data_bag_item(databag_name, databag_users_item)
    if ! users.nil?
      # Set the base cookbook real.properties to the data bag's hash minus the id field
      node.override['rundeck_server']['realm.properties'] = users.to_hash.reject {|k,v| k == "id"}
    end
  end

  if search(databag_name, "id:#{databag_passwords_item}").any?
    passwords = data_bag_item(databag_name, databag_passwords_item)
    framework_server_password = passwords[framework_server_password_attribute]
    mysql_server_password = passwords[mysql_server_password_attribute]
    rundeck_encryption_password = passwords[rundeck_encryption_password_attribute]

    if ! framework_server_password.nil? && ! framework_server_password.empty?
      node.override['rundeck_server']['rundeck-config.framework']['framework.server.password'] = framework_server_password
    end

    if ! mysql_server_password.nil? && ! mysql_server_password.empty?
      node.override['rundeck_server']['rundeck-config.properties']['dataSource.password'] = mysql_server_password
    end

    if ! rundeck_encryption_password.nil? && ! rundeck_encryption_password.empty?
      node.override['rundeck_server']['rundeck-config.properties']['rundeck.storage.converter.1.config.password'] = rundeck_encryption_password
      node.override['rundeck_server']['rundeck-config.properties']['rundeck.config.storage.converter.1.config.password'] = rundeck_encryption_password
    end
  end

end

include_recipe 'rundeck-server::default'

# Remove the credentials here so that they can't be attained via knife or through the console
if ! framework_server_password.nil? && ! framework_server_password.empty?
  node.override['rundeck_server']['rundeck-config.framework']['framework.server.password'] = ""
end

if ! mysql_server_password.nil? && ! mysql_server_password.empty?
  node.override['rundeck_server']['rundeck-config.properties']['dataSource.password'] = ""
end

if ! rundeck_encryption_password.nil? && ! rundeck_encryption_password.empty?
  node.override['rundeck_server']['rundeck-config.properties']['rundeck.storage.converter.1.config.password'] = ""
  node.override['rundeck_server']['rundeck-config.properties']['rundeck.config.storage.converter.1.config.password'] = ""
end

if ! users.nil?
  node.override['rundeck_server']['realm.properties'] = {}
end

I wonder if you would find it useful for me to bring in something like this as a PR to your cookbook or did you want to keep yours as is and delegate this functionality to upstream wrapper cookbooks?

kamaradclimber commented 8 years ago

Thanks for your suggestion!

I think we would prefer to keep this kind of logic in wrapper cookbooks. There are several ways to store "secrets" and to hide them, we don't want to impose one solution.

For reference, we are using chef-vault to store secrets and use chef-secret to "hide" attributes set by wrapper cookbook. See https://github.com/criteo-cookbooks/chef-secrets for details.

kamaradclimber commented 8 years ago

I think you can set data from encrypted databags (as chef-vault) into the attributes and hide them with chef-secret. Then your solution is very close to ours.