Attributes for storing/transmitting passwords as an alternative to data bags
24 views
Skip to first unread message
Ionuț Arțăriși
Jun 16, 2014, 10:08:04 AM6/16/14
to opscode-che...@googlegroups.com
I know that the official approach is to use data bags for storing
secrets. However, in crowbar we have been using attributes for this
purpose and it seems there are others[1] who have the same
approach.
Right now it is possible to use attributes for storing tokens by
(ab)using the developer_mode (setting
node['openstack']['developer_mode'] to true, and setting the
node['openstack']['secret'][index] attribute for each cookbook). But
AFAICT this isn't possible for passwords because then there would be
collisions for the data bag type (db, user or service).
I would like to raise the status of these attributes from "ugly hack" to
(unsupported) alternative in the openstack-chef cookbooks so downstreams
can rely on these attributes when developing their wrapper cookbooks.
The only change would be in the -common cookbook, specifically the
passwords library and maybe adding a few more default
attributes. Something similar to the referenced commit[1] with a bit
more work. Maybe also using an attribute in -common which would switch
between the data-bags default and attributes. And with a some
documentation in the README.
[1] https://review.openstack.org/#/c/97948
-Ionuț
secrets. However, in crowbar we have been using attributes for this
purpose and it seems there are others[1] who have the same
approach.
Right now it is possible to use attributes for storing tokens by
(ab)using the developer_mode (setting
node['openstack']['developer_mode'] to true, and setting the
node['openstack']['secret'][index] attribute for each cookbook). But
AFAICT this isn't possible for passwords because then there would be
collisions for the data bag type (db, user or service).
I would like to raise the status of these attributes from "ugly hack" to
(unsupported) alternative in the openstack-chef cookbooks so downstreams
can rely on these attributes when developing their wrapper cookbooks.
The only change would be in the -common cookbook, specifically the
passwords library and maybe adding a few more default
attributes. Something similar to the referenced commit[1] with a bit
more work. Maybe also using an attribute in -common which would switch
between the data-bags default and attributes. And with a some
documentation in the README.
[1] https://review.openstack.org/#/c/97948
-Ionuț
Matt Ray
Jun 16, 2014, 10:58:35 AM6/16/14
to Chef-OpenStack
That sounds like a perfectly reasonable idea, to make attributes a
working alternative. That would make supporting alternative password
storage mechanisms much more straight-forward.
Thanks,
Matt Ray
Director of Partner Integration :: Chef
512.731.2218 :: ma...@getchef.com
mattray :: GitHub :: IRC :: Twitter
> --
> You received this message because you are subscribed to the Google Groups
> "opscode-chef-openstack" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to opscode-chef-open...@googlegroups.com.
> To post to this group, send email to
> opscode-che...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/opscode-chef-openstack/539EFA42.3090606%40suse.cz.
> For more options, visit https://groups.google.com/d/optout.
working alternative. That would make supporting alternative password
storage mechanisms much more straight-forward.
Thanks,
Matt Ray
Director of Partner Integration :: Chef
512.731.2218 :: ma...@getchef.com
mattray :: GitHub :: IRC :: Twitter
> You received this message because you are subscribed to the Google Groups
> "opscode-chef-openstack" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to opscode-chef-open...@googlegroups.com.
> To post to this group, send email to
> opscode-che...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/opscode-chef-openstack/539EFA42.3090606%40suse.cz.
> For more options, visit https://groups.google.com/d/optout.
Mark Vanderwiel
Jun 16, 2014, 12:02:20 PM6/16/14
to opscode-che...@googlegroups.com
While I like the basic idea, I did not like the ref commit change to the existing password interface as that implies more changes sprinkled around the cookbooks.
Would be nice to see this contain with Common library methods and attributes that could be wrapped and overridden.
Reply all
Reply to author
Forward
0 new messages