Commit 97258bf3 authored by Dmytro Kryvenko's avatar Dmytro Kryvenko Committed by Ben Abrams
Browse files

#73: Use node run state for credentials (#152)

* #73: Use node run state for credentials

* #73: Add README and CHANGELOG, make foodcritic happy

* #73: Make it clear in the README.md regarding the security concerns as to managing sumo credentials

* #73: Add deprecation warning regarding "Persisting sensitive information in node attributes"
parent 6d1fefe3
......@@ -6,6 +6,7 @@ This CHANGELOG (now) follows the format listed at [Keep A Changelog](http://keep
## [Unreleased]
### Added
- using node run state added as a viable option to supply credentials
- when using the lwrps it calls `sumo_service` which attempts to use systemd if present. We should allow overriding this behavior with the same attribute as was added in [PR#145](https://github.com/SumoLogic/sumologic-collector-chef-cookbook/pull/145) to change the behavior. If the attribute is unset it uses the existing logic to determine the appropriate init subsystem making this backwards compatibile. (@majormoses)
## [1.2.23] - 2017-10-12
......
......@@ -43,8 +43,8 @@ Installation
knife cookbook github install SumoLogic/sumologic-collector-chef-cookbook
```
3. Specify data bag and item with your access credentials. The data item should
contain attributes `accessID` and `accessKey`. Note that attribute names are case sensitive. If the cases mismatch, the values will not appear when chef-client runs. The default data bag/item is
`['sumo-creds']['api-creds']`
contain attributes `accessID` and `accessKey`. Note that attribute names are case sensitive. If the cases mismatch, the values will not appear when chef-client runs. The default data bag/item is
`['sumo-creds']['api-creds']`. More flexible approach is to set `node.run_state['sumo_key_id']` and `node.run_state['sumo_key_secret']` to supply credentials from your wrapper cookbook level. Please note, storing sensitive data anywhere outside of `node.run_state` is not safe, because it's being uploaded to the Chef Server at the end of chef-client run. `node.run_state` [is not persistent and generally discarded at the end of chef-client run](https://docs.chef.io/recipes.html#node-run-state). But you still want to make sure that credentials originates from a secure place, such as your own encrypted data bag, Chef Vault or alternative approach that stores and communicates your secrets in an encrypted manner.
4. (Optional) Decide if you want to use the Local Configuration Management feature by setting the attribute `default['sumologic']['local_management']` properly. By default this feature is on, to leverage the power of Chef.
5. (Optional) Select the json configuration option (i.e. through a single file or a folder) by setting the attribute `default['sumologic']['use_json_path_dir']` appropriately. By default a single json file is used.
6. (Optional) Check if the path to the json file or the json folder is set correctly in the attribute `default['sumologic']['sumo_json_path']`. By default this is the path to the json file at `/etc/sumo.json` on Linux or `c:\sumo\sumo.json` on Windows.
......
......@@ -38,7 +38,10 @@ end
require 'chef-vault'
if node['sumologic']['credentials']
if node.run_state['sumo_key_id'] && node.run_state['sumo_key_secret']
credentials['accessID'] = node.run_state['sumo_key_id']
credentials['accessKey'] = node.run_state['sumo_key_secret']
elsif node['sumologic']['credentials']
creds = node['sumologic']['credentials']
if creds[:secret_file]
......@@ -57,6 +60,9 @@ if node['sumologic']['credentials']
end
else
Chef::Log.warn("Using node['sumologic']['accessID'] and node['sumologic']['accessKey'] is deprecated!")
Chef::Log.warn('Persisting sensitive information in node attributes is not recommended.')
%i[accessID accessKey].each do |sym|
credentials[sym] = node['sumologic'][sym]
end
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment