{"id":44410,"date":"2016-12-27T18:15:00","date_gmt":"2016-12-27T12:45:00","guid":{"rendered":"http:\/\/www.tothenew.com\/blog\/?p=44410"},"modified":"2016-12-28T12:14:20","modified_gmt":"2016-12-28T06:44:20","slug":"securing-chef-resources-using-databags","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/securing-chef-resources-using-databags\/","title":{"rendered":"Securing Chef Resources Using Databags"},"content":{"rendered":"

Configuration management has become a prominent part of DevOps practices. Either be it a matured Chef and Puppet<\/a> or new entrants Ansible and SaltStack, all of them are better than another in one or other way.\u00a0 However, playing without securing them is a big security risk and is not in the veins DevOps<\/a>.<\/p>\n

\"Data<\/p>\n

Chef is the most vastly used<\/a> configuration management tool. In this blog I would be discussing chef use-cases which would help us to secure\/encrypt sensitive data such as passwords, keys, etc. in data-bags and how can we access it in recipes, templates, attributes etc. We will also discuss a use-case related to environments.<\/p>\n

Creating Data-bags:
\n<\/b>We would need to create a data-bag to encrypt the sensitive data. The below command will create a data bag on the chef server and will use default secret key to encrypt the data-bag.<\/p>\n

[js]knife data bag create my_databag my_databag_item [\/js]<\/p>\n

This would create a directory named \u201cmy_databag\u201d which is our data-bag and this directory has created a file named \u201cmy_databag_item.json\u201d which is a data-bag item.<\/p>\n

Let\u2019s say the \u201cplain-text\u201d content of that we want to encrypt is:
\n<\/strong><\/p>\n

[js]{
\n\u00a0"id": "my_databag",
\n"password1": \u201cabc123\u201d,
\n "password2": \u201c123abc\u201d
\n}[\/js]<\/p>\n

And after encryption this file would look like:<\/p>\n

[js]{
\n\u00a0"id": "my_databag",
\n "password1": {
\n\u00a0\u00a0 "encrypted_data": "XXXXXXXXXXXXXXXXXXXXXXXXX",
\n\u00a0\u00a0 "iv": "XYXYXYXYXYYXYXYXYXYXYXY",
\n\u00a0\u00a0 "version": 1,
\n\u00a0\u00a0 "cipher": "aes-256-cbc"
\n\u00a0},
\n "password2": {
\n\u00a0\u00a0 "encrypted_data": "YYYYYYYYYYYYYYYYYYYYYYYYYY",
\n\u00a0\u00a0 "iv": "YXYXYXYXYXYXYXYXYXYXYXYX",
\n\u00a0\u00a0 "version": 1,
\n\u00a0\u00a0 "cipher": "aes-256-cbc"
\n\u00a0}
\n}[\/js]<\/p>\n

Here are few variation which we generally use:<\/p>\n

    \n
  1. We do not want to create data-bag on chef-server but want to create a data-bag locally:\n

    [js]knife data bag create my_databag my_databag_item –local-mode flag[\/js]<\/p>\n<\/li>\n

  2. We do not want to use a default secret key but instead want to use self-created secret key:\n

    [js]#One of the many ways to create secret key:
    \nopenssl rand -base64 512 | tr -d ‘\\r\\n’ > \/path\/to\/my_secret_key
    \n#Create data-bag using my_secret_key
    \nknife data bag create my_databag my_databag_item –local-mode –secret-file \u00a0\/path\/to\/my_secret_key[\/js]<\/p>\n<\/li>\n<\/ol>\n

    Now, let\u2019s see how could we use the encrypted data in recipes, templates etc.<\/p>\n

      \n
    1. Using data-bags in a recipe:<\/strong> We would first need to load the data-bag in the recipe. Before this, we should know the path of the secret file (say \/path\/to\/my_secret_key) that we have created previously.
      \n#Loading secret key inside the recipe:<\/p>\n

      [js]my_secret_key = Chef::EncryptedDataBagItem.load_secret("\/path\/to\/my_secret_key")[\/js]<\/p>\n

      #Loading data-bag item inside the recipe:<\/p>\n

      [js]passwords = Chef::EncryptedDataBagItem.load("my_databag", "my_databag_item", my_secret_key)[\/js]<\/p>\n

      In order to use \u201cpassword1\u201d, we can use:<\/p>\n

      Example 1<\/strong>: Below recipe is sourcing DB dump in the MySQL. While using chef variable in a big string as below, we use hash(\u201c#\u201d) followed by curly braces(\u201c{}\u201d) as highlighted\u00a0below:<\/p>\n

      [js]bash ‘create readonly user’ do<\/pre>
      \nuser ‘mysql’
      \ncwd ‘\/tmp’
      \ncode <<-EOH
      \nmysql -uroot -p<b>#{passwords[‘password1’]}<\/b> \u00a0< \/tmp\/dummy.sql
      \nEOH
      \nend[\/js]<\/p>\n

      Example 2:<\/strong> We can use it without \u201c#\u201d and \u201c{}\u201d when using it outside a string as below:<\/p>\n

      [js]mysql_service ‘default’ do<\/pre>
      \n\u00a0version ‘5.6’
      \n\u00a0port ‘3306’
      \n\u00a0bind_address ‘0.0.0.0’
      \n\u00a0initial_root_password <b>password["password1"]
      \n\u00a0action [:create, :start]
      \n\u00a0not_if ‘ps -ef | grep [m]ysqld’
      \nend[\/js]<\/p>\n

       <\/li>\n

    2. We have directly used the path of the secret key while loading the secret key in the above example. We can do a small improvement by storing the path of secret key inside attribute file as below (assuming we are working inside a cookbook directory).\n

      [js]cat attributes\/default.rb<\/pre>
      \ndefault["secret_key_path"] = "\/path\/to\/my_secret_key"[\/js]<\/p>\n

      We could use it inside the recipe to load secret key:<\/p>\n

      [js]my_secret_key = Chef::EncryptedDataBagItem.load_secret(#{node[:secret_key_path]}")[\/js]<\/p>\n

      Note:<\/strong> that we have not done any encryption here. This is just an improvement over point<\/li>\n

    3. Using data-bags in a template:<\/strong> We can not directly use data-bags as we have used in recipes. While using templates in a recipe(which is granting a mMySQLuser some privileges), we would have to specifically pass the data-bags as variables inside a template as below:\n

      [js]my_secret_key = Chef::EncryptedDataBagItem.load_secret(#{node[:secret_key_path]}")
      \npasswords = Chef::EncryptedDataBagItem.load("my_databag", "my_databag_item", my_secret_key)
      \ntemplate ‘\/tmp\/grantPrivileges.txt’ do
      \n\u00a0source "grantPrivileges.txt.erb"
      \n\u00a0owner \u00a0\u00a0"root"
      \n\u00a0group \u00a0\u00a0"root"
      \n\u00a0mode \u00a0\u00a0\u00a00644
      \n\u00a0variables(
      \n\u00a0 :passwords => passwords
      \n)
      \nend[\/js]<\/p>\n

      Now, inside the template file, we can use \u201cpassword1\u201d as:<\/p>\n

      [js]cat templates\/grantPriviliges.txt.erb<\/pre>
      \ngrant all on dbname.* to ‘user1’@’%’ identified by ‘<%= @passwords["password"] %>’;[\/js]<\/p>\n<\/li>\n

    4. Playing with data-bags while working on environments:<\/strong> We usually work in multiple environments such as production, uat, qa, dev, etc. We have a set up where we have around 20 environment and all can be created\/modified using chef. The problem was that all the passwords were present in plain text in the environment file.\n

      The task was to secure all the passwords using databags. Let\u2019s do it step-by-step as follows:<\/p>\n

        \n
      1. Create a new data-bag \u201cenvironment\u201d.<\/li>\n
      2. Under \u201cenvironment\u201d data-bag, create a data-bag item for every environment. This is how this will look:
        \nData-bag:<\/span>
        \nls ..\/..\/data_bags\/environment\/
        \ndev.json production.json qa.json uat.json
        \nEnvironment<\/span>:
        \nls ..\/..\/environments\/
        \ndev.json production.json qa.json uat.jsonLet\u2019s say we have three passwords inside\u201c..\/..\/environments\/production.json\u201d environment file. We would remove all the three passwords and put them inside \u201c..\/..\/data_bags\/environment\/production.json\u201d data-bag item of \u201cenvironment\u201d databag.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n

        Later, we remove all their references from the recipes and templates.<\/p>\n

        Next time, when to set up a new environment (say staging), we would need to create a environment file and it\u2019s corresponding data-bag item inside the environment data-bag.<\/p>\n

        Well, these are few use-cases which could most frequently be encountered while dealing with data-bags in chef.<\/p>\n

        Please share in comments section if anyone has a good use-case to share.<\/p>\n

         <\/p>\n","protected":false},"excerpt":{"rendered":"

        Configuration management has become a prominent part of DevOps practices. Either be it a matured Chef and Puppet or new entrants Ansible and SaltStack, all of them are better than another in one or other way.\u00a0 However, playing without securing them is a big security risk and is not in the veins DevOps. Chef is […]<\/p>\n","protected":false},"author":506,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":1},"categories":[1174,2348,1],"tags":[1910,1780,4343,4342,1892,4341],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/44410"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/506"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=44410"}],"version-history":[{"count":0,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/44410\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=44410"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=44410"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=44410"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}