On Fri, Jun 06, 2014 at 08:51:39AM -0400, Simo Sorce wrote: > > Clearly puppet has root level access to the system so you do not (should > not ?) care much about preventing access to these systems, the aim is to > not inadvertently divulge secrets through manifests and nothing else.
And puppet logs. And forgetting the secrets around. With puppet you do not have interactive (password) prompt available so everything including secrets needs to be pre-created and pre-populated before the puppet apply starts. Or, where possible, generated and immediatelly encrypted -- I find that approach very clever. But unfortunately it can only be used for the initial FreeIPA server installation, it seems -- in all the subsequent operations, we need to pass the existing matching credential. I wonder if we could be able to pass the passwords to puppet via file descriptors from some invoking wrapper ... -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat _______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel