well lets hope for the best on the first :) but yeah, physical access = game over
On Tue, Sep 23, 2014 at 12:22 PM, Michael DeHaan <[email protected]> wrote: > "i think he meant unauthorized access to the tower machine. Either way, > thats a bigger issue. " > > Yeah, it's not really possible to have unauthorized access to the Tower > machine, unless you have a physical access problem. > > > > On Tue, Sep 23, 2014 at 10:28 AM, John Favorite <[email protected]> > wrote: > >> i think he meant unauthorized access to the tower machine. Either way, >> thats a bigger issue. >> >> On Tue, Sep 23, 2014 at 8:19 AM, Michael DeHaan <[email protected]> >> wrote: >> >>> Not really. >>> >>> Any config tool does need to actually configure the box, however Tower >>> has role based access control that you can use to restrict *WHO* can >>> configure the box. >>> >>> Further, you can also control access to your source control so only >>> certain people should have access to your playbooks. >>> >>> You can allow some users you don't trust to deploy into test/stage >>> environments, and only allow ops team members you trust to deploy into prod. >>> >>> And that exists with every single configuration tool on the planet -- >>> needing to be able to configure the system -- and is not a SSH key specific >>> kind of thing. >>> >>> >>> >>> >>> On Tue, Sep 23, 2014 at 1:47 AM, Kevin Burton <[email protected]> >>> wrote: >>> >>>> The SSH issue is still an issue if I"m letting this daemon run as root >>>> on tower, because anyone can just inject code if they can break into this >>>> box... >>>> >>>> On Monday, September 22, 2014 5:31:09 PM UTC-7, Michael DeHaan wrote: >>>>> >>>>> So a very good option for key management would be ansible tower - >>>>> http://ansible.com/tower >>>>> >>>>> Let Tower hold on to your key, and nobody will see it. It will use >>>>> ssh-agent behind the scenes (your key may be locked with a password or >>>>> not) >>>>> and only allow that key to be used for running Ansible playbooks. >>>>> >>>>> (The key is saved encrypted in the database) >>>>> >>>>> I'd also consider setting things up so something like an "ansible" >>>>> user can sudo. It isn't strictly required, but might help a little bit >>>>> with tracking who does what. >>>>> >>>>> (Tower also keeps good logs of this) >>>>> >>>>> >>>>> >>>>> On Mon, Sep 22, 2014 at 8:23 PM, Kevin Burton <[email protected]> >>>>> wrote: >>>>> >>>>>> Right now I just manually SSH into a box in our cluster and run >>>>>> ansible. >>>>>> >>>>>> But I want to automate this... Ideally I could just bump the version >>>>>> number in my code when I want it released... and 2 minutes later it would >>>>>> be staged, tested, and deployed. >>>>>> >>>>>> But the issue is SSH auth.. many of my daemons need root. I don't >>>>>> necessarily want to have keys just sitting there giving anyone full >>>>>> access >>>>>> to my cluster. >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Ansible Project" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To post to this group, send email to [email protected]. >>>>>> To view this discussion on the web visit https://groups.google.com/d/ >>>>>> msgid/ansible-project/57b954e7-48a8-491a-8e64- >>>>>> 7d7168c1b534%40googlegroups.com >>>>>> <https://groups.google.com/d/msgid/ansible-project/57b954e7-48a8-491a-8e64-7d7168c1b534%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To post to this group, send email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ansible-project/0b684ce8-dea1-4edc-b698-1cc07d0b8afe%40googlegroups.com >>>> <https://groups.google.com/d/msgid/ansible-project/0b684ce8-dea1-4edc-b698-1cc07d0b8afe%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgySEJWPPdNKU7%2BXp%2Be4MR_CBEJCAA9Umbb%2Bvb72k_Yisw%40mail.gmail.com >>> <https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgySEJWPPdNKU7%2BXp%2Be4MR_CBEJCAA9Umbb%2Bvb72k_Yisw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/CAKsMCER2soB1Hp%3D5JG6v3cRDSheJmfoQGqzHhv_kThnOUwX%2BVA%40mail.gmail.com >> <https://groups.google.com/d/msgid/ansible-project/CAKsMCER2soB1Hp%3D5JG6v3cRDSheJmfoQGqzHhv_kThnOUwX%2BVA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyBkXY2UOHHLK5dPT114PTJx1iPZVD_uaT-og7ONGOMHA%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyBkXY2UOHHLK5dPT114PTJx1iPZVD_uaT-og7ONGOMHA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAKsMCER%2BQ_94LWAZ1pz5FhHJ-z0HCioPszF8O63g4i9kUDaU3w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
