On Wednesday, April 8, 2015 at 4:33:41 PM UTC-5, Scott Jaffa wrote: > > John, > > Thanks for the detailed reply. While we aren't in agreement on some of > the finer points, it is moot as you've made it quite clear that the listed > approaches won't work at a technical level. > Stepping back, can you suggest a good method by which one could separate > out cross organizational (in this case security hardening) parameters in a > way that they could be shared across organizations? > Assuming the answer, shared or not, for the security layer is hiera, I > need to put more thought into the structure. > > You want to harden machine configurations managed via Puppet. To a large extent, that means setting class parameter values that tend to improve security; certainly everything you have discussed so far boils down to that. The central work to be performed, then, is to identify which parameters of which classes need attention, and to determine what values you prefer (for security) for those parameters. You were already planning to do this, at least for Puppet modules used within your organization, and it constitutes the vast majority of the work that will be needed.
The remaining question, then, is how to package the hard (parameter, value) pairs in such a way that Puppet can apply them, and, preferrably, in a way that can usefully be shared among organizations. If it is not at this point obvious to you that this problem is right in the center of Hiera's wheelhouse, then I urge you to freshen up your Hiera knowledge and to read up on Puppet automatic data binding before you devote any other effort to planning this endeavor. The main thing you need to do is put your hardened parameters in a (one) YAML file. Such a file could easily be shared, and those who want to use it -- yourself included -- need only to configure it as the data source for a high-priority level of their Hiera hierarchy. Class parameter values that are assigned via automatic data binding will draw on these data. Class parameter values that are set by any other means were out of reach of any general-purpose scheme to begin with. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5cfa70ea-fe04-4c5d-b1a1-84a3d2f6acd9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
