Aha. Okay, so there is a feature on the roadmap called "vault" that I think will be perfect for this use case. It is what I was hinting at in my first reply where the password is stored in ciphertext on the control host and easily decryptable by Ansible. It doesn't deter a determined attacker, but prevents shoulder surfing.
Ah, PCI and HIPAA, how I don't miss thee. Sadly, both of those are more sane than COBIT, FISMA, et al. On Fri, Jan 10, 2014 at 6:15 PM, Stan Lemon <[email protected]> wrote: > So this is a PCI compliant environment. I hit similar issues when I > worked in health care though and we were trying to meet HIPPA compliance > with our hardware. Auditors just didn’t want access credentials on the > same box, so with that company we were able to have puppet handle them and > because the puppet master was somewhere else the auditors didn’t care. It’s > dumb reasoning, but it’s the way these industries work. > > So I can have passwords in my ansible playbooks, that’s tolerable. I just > can’t put the password on the box itself. That is most likely a pretty > uniform requirement, with the exception of application configuration to > connect to said database. > > Thanks for your help on this. > > -- > Stan Lemon > > > On January 10, 2014 at 1:25:01 PM, Peter Gehres ( > [email protected] <//[email protected]>) wrote: > > I don’t think ciphertext + decryption key would fly either. I agree >> with you that both this 0600 on the root should be sufficient, but often >> times the audits in these regulated environments defy rationale arguments. >> > > Sadly, I thought that might be your answer. Does this only apply to the > root password? > > If you can share, what framework are you being audited under? You've got > me playing cat-and-mouse with the auditors in my head. :-) > > Have you solved this problem outside of Ansible anywhere as part of an > automation routine? > > > > -- > Peter Gehres > Site Reliability Engineer | AppDynamics, Inc. > www.appdynamics.com | AS62897 > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Peter Gehres Site Reliability Engineer | AppDynamics, Inc. www.appdynamics.com | AS62897 -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
