In Puppet, how would I secure a password variable (in this case a MySQL password)?
Posted
by
Beaming Mel-Bin
on Server Fault
See other posts from Server Fault
or by Beaming Mel-Bin
Published on 2012-01-03T04:28:12Z
Indexed on
2012/10/08
3:39 UTC
Read the original article
Hit count: 439
I am using Puppet to provision MySQL with a parameterised class:
class mysql::server( $password ) {
package { 'mysql-server': ensure => installed }
package { 'mysql': ensure => installed }
service { 'mysqld':
enable => true,
ensure => running,
require => Package['mysql-server'],
}
exec { 'set-mysql-password':
unless => "mysqladmin -uroot -p$password status",
path => ['/bin', '/usr/bin'],
command => "mysqladmin -uroot password $password",
require => Service['mysqld'],
}
}
How can I protect $password
? Currently, I removed the default world readable permission from the node definition file and explicitly gave puppet
read permission via ACL.
I'm assuming others have come across a similar situation so perhaps there's a better practice.
© Server Fault or respective owner