Securely Verifying a Minion's ID

[Zach Lanich]

Hey all, I'm building a platform that allows a customer to log in, create a pre-configured infrastructure (ie. 1 web node + varnish caching) and administer it from my GUI I'll be creating. The functionality is similar to WP-Engine in some ways. The question I have is in regards to being able to securely identify a minion against its original owner account in my GUI. I'm aware that a compromised minion can fake grains, even change it's own minion id, etc, so I'm looking for your advice on the easiest/best way to identify (for sure) that a minion does in fact have permission to be given its assigned sensitive Pillar data, etc.

Some thoughts I've had:

- If a minion faked its ID (not sure if this is as simple as changing the config file since there are SSH keys involved), then in theory, using globs to target minions by name could be insecure

- If a minion faked its grains, then in theory, using globs to target minions by grains could be insecure

- One thing a minion can't fake is it's SSH key(s) because obviously the master would have to verify this

- Is it possible/practical to use a unique id from my provider? (Digital Ocean)

Final thoughts

- It seems like it would be safe to use the minion ID in a convention like so <fqdn>-<node-role>-<user-id> to identify the ownership of a minion in regards to the user account in my GUI, since if a minion changed its own id, even to the same id as another minion owned by a different account, this would cause quite a hiccup since there would be mismatched or even unaccepted keys on the master. I'm I correct in assuming this is safe?

- I'm also not fond of having to make my minion ids too convoluted. I'd love to just have <fqdn>-<node-role>-<role-id> (ie. somesite.com-web-1, somesite.com-web-2 in a 2 web node setup). Is there a way, other than putting the user id in the minion's ID, that I can securely verify a minion to it's owner account in my GUI?

Other info:

- I'll providing pillars via a NoSQL database that will be populated via my GUI & REST