We have a couple database clusters in our environments, where for each
of them, they need to have:
1. Username for the db process, eg: mysql, oracle, and
2. For each database cluster, this db username needs to have SSH
authorized keys for:
- Any hosts within the cluster itself (eg: for dbcluster01 -
dbcluster10 , where dbuser from dbcluster01 can ssh to any of
dbclusterXX, but not to different_dbclusterXX)
- ssh key from a bastion host
- ssh key from another bastion host
- ssh key from a third bastion host (for the third bastion host, it
can only access select db nodes)
While this can be accomplished by hardcoding the needed ssh keys into
a cfengine 3 policy, I'm wondering if a dynamic cf3 policy can be
created to something like:
body agent update_authorized_keys(dbusername,username_slist)
{
for each username_slist, do:
A = readfile(/exports/authorized_keys/$(username)
homedir = homedirofdbusername() from /etc/passwd
Edit $(homedir)/.ssh/authorized_keys, and replace the content with A
}
And for each of db clusters above, we have a policy similar to:
bundle agent dbclusterA
{
vars:
ssh_keys slist => { "dbclusterA", "bastion1", "bastion2" };
methods:
"dbclusterA" usebundle => common_bundle;
"dbclusterA" usebundle => update_authorized_keys(oracle,slist);
}
while for dbclusterB, we do:
bundle agent dbclusterB
{
vars:
ssh_keys slist => { "dbclusterA", "bastion1", "bastion2", "bastion3" };
methods:
"dbclusterA" usebundle => common_bundle;
"dbclusterA" usebundle => update_authorized_keys(oracle,slist);
}
The reason is we have multiple database clusters, and due to SOX
compliance, we need from time to time replace bastion host SSH key.
Editing multiple db policies just for bastion host SSH_key seems could
be more prone to error ...
Let me know if my thinking of the methods above is flawed, and it is
not possible...
Thanks
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
