Project

General

Profile

User story #8352

Create a per-node private-folder for file distribution to each node

Added by Janos Mattyasovszky over 1 year ago. Updated over 1 year ago.

Status:
New
Priority:
N/A
Category:
System integration
Target version (plugin):
Suggestion strength:
User visibility:
Effort required:
Pull Request:

Description

Consider following usecase:
You want to distribute the private ssh-hostkeys for each node. If you have a large enough environment, that is changing on a very big rate (daily installs/decoms), maintaining a per-node file-edit policy is not very likely

What you actually want to have is one policy, that takes one file from a node-only folder, that is populated on the root server and then distributed towards the node (over the relays), so that only the node has access to it (not like the general shared-folder, which can be fetched basically by every node).

My idea would be that there could be a /var/rudder/configuration-repository/private-files/<UUID> folder, where each node can have its private folder, and that would also be replicated to a well defined target folder on the referenced node, so you could write techniques that use that folder.

Example:

On the RootServer:

# cp \
  ~/nodes_ssh_key.pem \
  /var/rudder/configuration-repository/private-files/89e67574-fe20-4325-83a2-1530b20c8aab/ssh_host_ecdsa_key

On the Node '89e67574-fe20-4325-83a2-1530b20c8aab':

technique copies /var/rudder/private-files/ssh_host_ecdsa_key => /etc/ssh/ssh_host_ecdsa_key


Related issues

Related to Rudder - User story #8353: Implement notifications for different server-side actions and events (hooks) Released 2016-12-22

History

#1 Updated by Janos Mattyasovszky over 1 year ago

  • Description updated (diff)

#2 Updated by Nicolas CHARLES over 1 year ago

  • Assignee changed from Nicolas CHARLES to Jonathan CLARKE
  • Target version set to Ideas (not version specific)

Hi Janos,

Thank you for this ticket. I'm assigning Jon, as the product owner, to this ticket.
You were also discussing the idea of cyphering data, which seems to have kind of the same goal - Am I mistaken ?

#3 Updated by Janos Mattyasovszky over 1 year ago

  • Related to User story #8353: Implement notifications for different server-side actions and events (hooks) added

#4 Updated by Janos Mattyasovszky over 1 year ago

Nicolas CHARLES wrote:

You were also discussing the idea of cyphering data, which seems to have kind of the same goal - Am I mistaken ?

Well, yes and no.

This suggestion is just stating that you create a per-node folder, that will have its content transferred to that only node it is targeted at, and is not readable by the other nodes. It does not describe the method of the implementation nor does it say it has to be end-to-end encrypted, just have it be private for that node by making it not readable for the others.

You can solve this by either encrypting all files in this per-node private-folder, and put it somewhere into shared-files/.encrpyted for example, but you'd still need a place where one can put the files it.

An initial method would be just to have the root server take the files from this private-files/<uuid> folder, and put it in the node's directory upon generation, that could be the first step on the implementation, since it would only require some file-copying and additional ACL generation, and not the full-blown crpyto part, which is still harder to design and implement...

With today's versions this could be solved by hacking in an ugly hook at rudder.cfengine.reload.server.command, which would add the necessary files by walking through all the newly generated "rules" folder in the node's directory, and the technique depending on this would then look in the "inputs" directory for the node-specific files, but as I said, this would be a nasty hack...

Also available in: Atom PDF