In Puppet, how would I secure a password variable (in this case a MySQL password)?

Posted by Beaming Mel-Bin on Server Fault See other posts from Server Fault or by Beaming Mel-Bin
Published on 2012-01-03T04:28:12Z Indexed on 2012/10/08 3:39 UTC
Read the original article Hit count: 439

Filed under:
|
|
|

I am using Puppet to provision MySQL with a parameterised class:

class mysql::server( $password ) {

        package { 'mysql-server': ensure => installed }
        package { 'mysql': ensure => installed }

        service { 'mysqld':
                enable => true,
                ensure => running,
                require => Package['mysql-server'],
        }

        exec { 'set-mysql-password':
                unless => "mysqladmin -uroot -p$password status",
                path => ['/bin', '/usr/bin'],
                command => "mysqladmin -uroot password $password",
                require => Service['mysqld'],
        }
}

How can I protect $password? Currently, I removed the default world readable permission from the node definition file and explicitly gave puppet read permission via ACL.

I'm assuming others have come across a similar situation so perhaps there's a better practice.

© Server Fault or respective owner

Related posts about linux

Related posts about mysql