[ClusterLabs] Encrypted passwords for Resource Agent Scripts

Klaus Wenninger kwenning at redhat.com
Mon Sep 24 08:20:45 EDT 2018


On 09/21/2018 10:32 PM, Ken Gaillot wrote:
> On Fri, 2018-09-21 at 19:01 +0530, Dileep V Nair wrote:
>> Hi,
>>
>> I have written heartbeat resource agent scripts for Oracle and
>> Sybase. Both the scripts take user passwords as parameters. Is there
>> a way to do some encryption for the passwords so that the plain text
>> passwords are not visible from the primitive also. 
> One option is to put the password in a (plaintext) file and take the
> file name as a resource parameter.
>
> There's also a (sadly undocumented) optional feature in pacemaker
> called CIB secrets. If pacemaker is built with ./configure --with-
> cibsecrets, you can put files under
> /var/lib/pacemaker/lrm/secrets/<RESOURCE-NAME>/ with the secrets, and
> they will be loaded from there rather than the CIB. I'm not familiar
> enough to give any more detail than that. I believe they're enabled in
> the SUSE packages, so maybe SUSE has some documentation.
>
> The topic has been discussed in the past without a better solution
> being apparent. It would theoretically be possible to require a human-
> entered password at boot for some sort of password manager daemon to
> decrypt an encrypted file with sensitive parameters, and have the RA
> query the daemon for the password as needed. However the daemon becomes
> a single point of failure (though it could perhaps be managed by the
> cluster), and the daemon needs to allow root (i.e. the RA) to get any
> password at will (otherwise, requiring the RA to authenticate itself to
> the daemon would just reintroduce the problem).
>
Remember some time ago we had a discussion on the list
about introduction of a key-value-store living alongside cib.
Don't remember if this use-case was discussed then but
at least it would be a valid one.
Anyway more or less the daemon Ken was talking about
just with a broader variety of use-cases.
Couldn't the issue with opening access to root in general
be handled via SELinux security contexts?
 
>>
>> Thanks & Regards
>>
>> Dileep Nair
>> Squad Lead - SAP Base 
>> IBM Services for Managed Applications
>> +91 98450 22258 Mobile
>> dilenair at in.ibm.com
>>
>> IBM Services




More information about the Users mailing list