如何从厨师食谱创建\编辑加密的数据袋项目 [英] how to create\edit encrypted data bag item from a chef recipe
问题描述
动机::节点将尝试从数据包中获取密钥,如果该密钥不存在,它将生成一个。
motivation: the node will try to fetch a key from the data bag, if the key does not exist, it will generate one. this is handy when there you scale your cluster and have to share a password for it.
请注意,不会并行创建任何节点,因此竞争条件会很方便。
note that there won't be any node creation in parallel, so race condition will be avoided.
厨师文档中有一部分与根据配方创建和编辑数据包项目,尽管与创建新的加密数据包项目没有任何关系。
there is a part in chef documentation that relates to create and edit data bag item from a recipe, though there is nothing there that relates to creating a new encrypted data bag item.
有人可以阐明它的完成方式吗?
can anyone please shed the light on how it can be done?
推荐答案
道歉提前为随后的布道。您能否解释一下您要做什么?也许有更好的方法来实现它。加密的数据包远非完整的安全解决方案。他们的弱点在于缺乏密钥管理。
Apologies in advance for the surmon that follows. Could you perhaps explain what you're trying to do? Perhaps there is a better way to accomplish it. Encrypted data bags are far from a complete security solution. Their weakness lies in the lack of key management.
因此,答案是Ruby源代码完全由gem记录下来。此处描述了加密的数据包项目:
So the answer is that the Ruby source code is fully documented by it's gems. Encrypted data bag items are described here:
- http://www.rubydoc.info/github/opscode/chef/Chef/EncryptedDataBagItem
但是……
来自您提供的文档链接:
根据配方创建和编辑数据袋或数据袋物品
的内容不推荐。建议更新
数据袋或数据袋项目的方法是使用刀和刀数据袋
子命令。
Creating and editing the contents of a data bag or a data bag item from a recipe is not recommended. The recommended method of updating a data bag or a data bag item is to use knife and the knife data bag subcommand.
如果必须从配方中执行此操作,请注意以下
:
If this action must be done from a recipe, please note the following:
- 如果两个操作同时尝试执行更新数据包的内容时,最后写入的尝试将是更新数据包的
内容的操作。这种情况可能导致数据丢失,因此
组织应采取措施确保只有一名厨师客户是
一次更新数据包。 - 使用开源Chef服务器时,从节点更改数据包要求向该节点的API客户端授予管理员权限。
在大多数情况下,这是不可取的。
对Chef服务器的更新不是事务性的,因此从厨师客户端更新某些内容是一个非常糟糕的主意,在该客户端上可能有多个节点可能会执行相同的操作。
Updates to the Chef server are not transactional, so it's a really bad idea to be updating something from a chef client, where potentially more than one node could be performing the same action.
第二个警告是关于特权的……您再次最好建议以最少的超级力量来操作您的厨师客户。将这些保留给Chef管理员或在Chef工作站上运行的脚本。
The second warning is about privileges... Again you are best advised to operate your chef clients with the least amount of super powers. Reserve these for the chef admin or scripts that run on a Chef workstation.
这篇关于如何从厨师食谱创建\编辑加密的数据袋项目的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
