Hello,
I have a module for deploying an application which relies on an
(external) MySQL database. Here is a simplified version of the relevant
parts:
class myapp::database {
$db_user = my_db_user
$db_name = my_db_name
# generate_db_passwd is a custom script, basically a wrapper around
# "openssl rand"
exec { '/usr/local/bin/generate_db_passwd':
creates => '/etc/facter/facts.d/myapp_db_passwd.yaml'
}
if $myapp_db_passwd {
# This will be collected on the MySQL server.
@@database_user { "${db_user}@${::fqdn}":
ensure => present,
provider => mysql,
password_hash => mysql_password($myapp_db_password),
}
@@database_grant { "${db_user}@${::fqdn}/${db_name}":
privileges => ['all'],
provider => mysql,
}
}
}
Now I'm not sure this is really secure. The custom fact myapp_db_passwd
may be disclosed to local users of the app server if they have the
correct access rights (nothing to worry about, these are typically the
application admins). It is sent to the puppetmaster and stored in
PuppetDB. Can anyone fetch it from here?
--
A
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/y9hhabsh3p2.fsf%40licencieux.ircam.fr.
For more options, visit https://groups.google.com/groups/opt_out.
