Ah interesting. Is there any ETA on when vault will be available in beta for testing?
I owner too… do you think it’s possible to alter the paradigm and modify a pseudo my.cnf locally that would load the password? Such that it would get passed over ssh than, but it would reside on the deployment machine and ansible would be updating said file locally? Thanks again for your help, -- Stan Lemon On January 11, 2014 at 3:56:31 AM, Peter Gehres ([email protected]) wrote: Aha. Okay, so there is a feature on the roadmap called "vault" that I think will be perfect for this use case. It is what I was hinting at in my first reply where the password is stored in ciphertext on the control host and easily decryptable by Ansible. It doesn't deter a determined attacker, but prevents shoulder surfing. Ah, PCI and HIPAA, how I don't miss thee. Sadly, both of those are more sane than COBIT, FISMA, et al. On Fri, Jan 10, 2014 at 6:15 PM, Stan Lemon <[email protected]> wrote: So this is a PCI compliant environment. I hit similar issues when I worked in health care though and we were trying to meet HIPPA compliance with our hardware. Auditors just didn’t want access credentials on the same box, so with that company we were able to have puppet handle them and because the puppet master was somewhere else the auditors didn’t care. It’s dumb reasoning, but it’s the way these industries work. So I can have passwords in my ansible playbooks, that’s tolerable. I just can’t put the password on the box itself. That is most likely a pretty uniform requirement, with the exception of application configuration to connect to said database. Thanks for your help on this. -- Stan Lemon On January 10, 2014 at 1:25:01 PM, Peter Gehres ([email protected]) wrote: I don’t think ciphertext + decryption key would fly either. I agree with you that both this 0600 on the root should be sufficient, but often times the audits in these regulated environments defy rationale arguments. Sadly, I thought that might be your answer. Does this only apply to the root password? If you can share, what framework are you being audited under? You've got me playing cat-and-mouse with the auditors in my head. :-) Have you solved this problem outside of Ansible anywhere as part of an automation routine? -- Peter Gehres Site Reliability Engineer | AppDynamics, Inc. www.appdynamics.com | AS62897 -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out. -- Peter Gehres Site Reliability Engineer | AppDynamics, Inc. www.appdynamics.com | AS62897 -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
