That's great! And what to do with various passwords, private keys and so on?
Should I put them in manifest?
That is a hard call, and there is probably no single answer.
For what it is worth, we decided that this was an acceptable security risk in
some places (database passwords containing unclassified data only), and
unacceptable in others (SSL certificate private keys).
We presently distribute the later set, the keys, only through manual action,
although you can use puppet-specific restrictions to serve them up
safely from
external files.
I hope to have some acceptable solution that keeps both my needs (no manual
setup) and the needs of our auditors (keep things secure) in balance, but
don't presently have one.
we lookup passwords via an external source, which is only located on
the master. so in the manifests you find only the lookup statement.
ssl-keys are managed by puppet but stored in a module which is
seperated from all the other modules and which resists only on the
master within a local git repository.
so far we see this as comfortable as possible with the best (?)
possible security you can have in such a centralized setup.
cheers pete
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
