我安装了dsc模块,并使用puppet将AD用户添加到了域控制器中。将密码硬编码为纯文本时,以下代码可以正常工作。是否可以通过某种方式对这些密码进行加密。
我了解到hiera-eyaml是解决此问题的方法,所以我对密码进行了加密
[root@PUPPET puppet]# /opt/puppetlabs/puppet/bin/eyaml encrypt -p
Enter password: **********
string: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAl/+uUACl6WpGAnA1sSqEuTp39SVYfHc7J0BMvC+a2C0YzQg1V]
然后将加密的通行证存储在/etc/common.eyaml文件中(在hiera配置文件中指定)
/opt/puppetlabs/puppet/bin/eyaml edit /etc/common.eyaml
我可以成功解密文件:
/opt/puppetlabs/puppet/bin/eyaml decrypt -f /etc/common.eyaml
然后我将加密的通行证指定为清单文件
/etc/puppetlabs/code/environments/production/manifests/site.pp:
dsc_xADUser {'FirstUser':
dsc_ensure => 'present',
dsc_domainname => 'ad.contoso.com',
dsc_username => 'tfl',
dsc_userprincipalname => 'tfl@ad.contoso.com',
dsc_password => {
'user' => 'Administrator@ad.contoso.com',
'password' => Sensitive('pass')
},
dsc_passwordneverexpires => true,
dsc_domainadministratorcredential => {
'user' => 'Administrator@ad.contoso.com',
'password' => Sensitive(lookup('password'))
},
}
在Windows节点上,我报错
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Function lookup() did not find a value for the name 'password' on node windows.example.com
Hiera配置文件:
cat /etc/puppetlabs/puppet/hiera.yaml
---
# Hiera 5 Global configuration file
---
version: 5
defaults:
datadir: data
data_hash: yaml_data
hierarchy:
- name: "Eyaml hierarchy"
lookup_key: eyaml_lookup_key # eyaml backend
paths:
- "/etc/common.eyaml"
options:
pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"
cat /etc/common.eyaml
password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAl/+uUACl6WpGAnA1sSqEuTp39SVYfHc7J0BMvC+a2C0YzQg1V]
我是Puppet的新手,这个喜乐使我感到困惑
答案 0 :(得分:0)
对于初学者,您的Hiera配置文件中有错字。数据的路径应为:
paths:
- "/etc/common.eyaml"
修复此问题后,您需要从Hiera检索值。这是通过puppet lookup function执行的。由于您在单个数据文件中具有单个键值对,因此可以使用最少数量的参数来执行此操作。
dsc_xADUser {'FirstUser':
dsc_ensure => 'present',
dsc_domainname => 'ad.contoso.com',
dsc_username => 'tfl',
dsc_userprincipalname => 'tfl@ad.contoso.com',
dsc_password => {
'user' => 'Administrator@ad.contoso.com',
'password' => Sensitive('pass')
},
dsc_passwordneverexpires => true,
dsc_domainadministratorcredential => {
'user' => 'Administrator@ad.contoso.com',
'password' => lookup('string'),
},
}
但是,您还真的想从日志和报告中删除该密码。您可能希望将该密码字符串包装在Sensitive data type中。
'password' => Sensitive(lookup('string')),
您似乎已经对作为字符串pass传递的其他密码进行了此操作。
所有这一切的一个侧面说明是,Puppet对版本6中的Vault和Conjur的查找检索具有内在支持,因此它将很快成为最佳实践,而不是hiera-eyaml。
答案 1 :(得分:0)
Ufff,经过艰苦的努力,终于使其正常工作:
cat /etc/puppetlabs/puppet/hiera.yaml
---
version: 5
defaults:
datadir: data
data_hash: yaml_data
hierarchy:
- name: "Eyaml hierarchy"
lookup_key: eyaml_lookup_key # eyaml backend
paths:
- "nodes/%{trusted.certname}.yaml"
- "windowspass.eyaml"
options:
pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem
创建的密码:
/opt/puppetlabs/puppet/bin/eyaml encrypt -l 'password' -s 'Pass' --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
将其添加到/etc/puppetlabs/puppet/data/windowspass.eyaml文件:
/opt/puppetlabs/puppet/bin/eyaml edit windowspass.eyaml --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
cat /etc/puppetlabs/puppet/data/windowspass.eyaml
---
password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAUopetXenh/+DN1+VesIZUI5y4k3kOTn2xa5uBrtGZP3GvGqoWfwAbYsfeNApjeMG+lg93/N/6mE9T59DPh]
经过测试的解密:
/opt/puppetlabs/puppet/bin/eyaml decrypt -f windowspass.eyaml --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
如Matt所言,将Windowspass.eyaml的内容映射到清单文件
'password' => Sensitive(lookup('password'))
调试命令对我有很大帮助:
puppet master --debug --compile windows.example.com --environment=production
感谢所有人,尤其是马特</ p>