盐堆柱模板中的条件是否安全? [英] Are conditionals in salt stack pillar templates secure?

问题描述

我最近在这里>

/srv/pillar/ssh.sls:

ssh_certs:{% 如果谷物 ['fqdn'] == 'server1.example.com' %}数据分析: |-----开始 DSA 私钥 -----{# 关键文本以一致的缩进显示在这里... #}-----结束 DSA 私钥-----ecdsa: |-----开始 ECDSA 私钥 -----{# 关键文本以一致的缩进显示在这里... #}-----结束 ECDSA 私钥-----rsa: |-----开始RSA私钥-----{# 关键文本以一致的缩进显示在这里... #}-----结束RSA私钥-----{% elif 谷物 ['fqdn'] == 'server2.example.com' %}# 与上面相同，但当然有不同的关键文本....{％ 万一 ％}

这个支柱然后通过 * glob 分布在顶级文件中到集群中的所有节点.

问题:

由于我们未经评估的模板包含整个集群的所有私钥，这有多安全?

我相信小黄人会评估他们自己的盐配方.如果他们也评估自己的支柱，那么他们将暂时获得集群中每个节点的私钥！

如果我以某种方式获得了对 server2.example.com 的访问权限，我是否能够挖掘出未编译的模板?

问这个问题的另一种方式是:支柱模板评估在哪里进行?

解决方案

Pillar 数据在 Salt Master 上编译，Pillar 字典直接加密发送到每个 Salt Minion.因此，每个小兵不可能获得整个支柱文件.

话虽如此，Minion 的谷物可能会被篡改.您拥有的唯一绝对值是小黄人的 id.minion ID 不能被篡改，否则会导致 minion 的身份验证被拒绝.

I recently saw the following construction in a salt pillar in a thread here

/srv/pillar/ssh.sls:

ssh_certs:
{% if grains['fqdn'] == 'server1.example.com' %}
    dsa: |
        -----BEGIN DSA PRIVATE KEY-----
        {# key text goes here with consistant indentation... #}
        -----END DSA PRIVATE KEY-----
    ecdsa: |
        -----BEGIN ECDSA PRIVATE KEY-----
        {# key text goes here with consistant indentation... #}
        -----END ECDSA PRIVATE KEY-----
    rsa: |
        -----BEGIN RSA PRIVATE KEY-----
        {# key text goes here with consistant indentation... #}
        -----END RSA PRIVATE KEY-----
{% elif grains['fqdn'] == 'server2.example.com' %}
    # same as above but with different key texts of course....
{% endif %}

This pillar was then distributed in the top file via the * glob to all nodes in the cluster.

Question:

Since our unevaluated template contains all of the private keys for our entire cluster, how secure is this?

I believe that the minions evaluate their own salt formulae. If they evaluate their own pillars as well, then they would temporarily be given the private keys for every node in the cluster!

If I somehow gained access to server2.example.com, would I be able to dig up the uncompiled template?

Another way to ask this question would be: where does pillar template evaluation take place?

解决方案

Pillar data is compiled on the Salt Master and the Pillar dictionary is sent encrypted directly to each Salt Minion. So there's no chance that each minion got the entirety of that pillar file.

That being said, a Minion's grains could be tampered with. The only absolute you have is the minion's id. The minion ID can't be tampered with without causing the minion's authentication being rejected.

这篇关于盐堆柱模板中的条件是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！