Would a sparse checkout or using git-archive prevent an attacker from simply initiating a pull of the repo without those options, so that they can get everything.
--David Reagan On Fri, Jun 5, 2015 at 8:48 AM, Brian Coca <[email protected]> wrote: > So there are several aproaches to this: > > - making a repo per host, which would isolate the compromisable data, > this is a LOT of work and requires workarounds for shared things > (roles, includes, etc) but this would work right now. > > - use sparse checkouts, this is not supported currently by the git > module and requries newer versions of git, this still copies all the > data it just does not make it available in the working directory (this > might still change at the git level). > > - use git archive's prefix option, also not currently supported by the > git module, but this would provide the best protection against leaking > data unnecessarily to each target machine. > > All require that the repo is structured in such a way that each host > (or similar group of hosts) can have access to only their subset of > data and yet still get the shared resources they need (symlinks?). > > A different approach is to vault all sensitive data with different > passwords for the different host 'security zones', each ansible-pull > will only be able to decrypt the data relevant to themselves. > > > > > -- > Brian Coca > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Ansible Project" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ansible-project/HuCM9Gd_XPI/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CAJ5XC8kxpL0He7MPR5sb2VLSUv8FjrCL2gWqiZCYb_SjPPHAXw%40mail.gmail.com > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CANo%2B_AdSrUzDyjKxYfSZDfNM22LFC4JiGiAgQgt7g9tXng2Kpw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
