On Tuesday, April 10, 2018 at 12:41:27 PM UTC-5, Jason McMahan wrote: > > Good day, > I wanted to toss this out there to see if anyone has tried this. > > Could i perform a hiera lookup from within a custom puppet provider? > > > My thinking is to lookup an encrypted password, then use the lookup to > decrypt and pass the username and password to a powershell that i need to > execute within that provider. > > Thoughts? >
First, everything interesting that providers do, they do on the target node. Hiera data, on the other hand, live primarily on the node hosting the catalog builder. Those are the same node when applying catalogs via 'puppet apply', but they are usually different nodes when applying catalogs via 'puppet agent'. It's unclear which is your scenario, but if you're running the agent (== running Puppet as a service) then your provider likely cannot perform hiera lookups because the data are not available to it in the first place. Second, even if the data were available, if they include both key and encrypted data then you gain very little security, because anyone who can obtain the data can also obtain the key. Same if you transmit the encryption key inside your catalogs or hard-code it into your provider implementation. Encryption just isn't very secure overall without additional secure measures for key storage and / or key generation and exchange. Overall, I don't see much to be gained. Catalog data are already encrypted on the wire between master and agent (SSL / TLS), with both parties authenticating. This is pretty good protection against data being stolen in transit. As for protecting sensitive data once it reaches target nodes, however, your first and best and perhaps only real protection is the authentication and access control measures of that machine. If you are unwilling to trust those, then only solution is to altogether avoid giving the node sensitive data. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/540c25f2-7380-4a76-8597-4e3f297b4def%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
