Using crm secret to obfuscate passwords and other resource attributes
This document (7018546) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise High Availability Extension 11 Service Pack 4
SUSE Linux Enterprise High Availability Extension 11 Service Pack 3
SUSE Linux Enterprise High Availability Extension 12
SUSE Linux Enterprise High Availability Extension 12 SP1
SUSE Linux Enterprise High Availability Extension 12 SP2
SUSE Linux Enterprise High Availability Extension 12 SP1
SUSE Linux Enterprise High Availability Extension 12 SP2
SUSE Linux Enterprise High Availability Extension 12 SP3
SUSE Linux Enterprise High Availability Extension 12 SP4
SUSE Linux Enterprise High Availability Extension 15
Situation
Passwords are stored in the cluster information base in clear text and are often displayed when viewing the cluster configuration or running cluster reports.
Resolution
crm secret can be used to move passwords and other sensitive attribute data out of the CIB and in to separate files.
secret
Sensitive parameters can be kept in local files rather than CIB in order to prevent accidental data exposure. Use the secret
command to manage such parameters. stash and unstash move the value from the CIB and back to the CIB respectively. The set
subcommand sets the parameter to the provided value. delete removes the parameter completely. show displays the value of
the parameter from the local file. Use check to verify if the local file content is valid.
Usage:
secret <rsc> set <param> <value>
secret <rsc> stash <param>
secret <rsc> unstash <param>
secret <rsc> delete <param>
secret <rsc> show <param>
secret <rsc> check <param>
Example:
secret fence_1 show password
secret fence_1 stash password
secret fence_1 set password secret_value
Before using secret, better run the show command first to get an overview of all your resources:
crm configure show
primitive mydb ocf:heartbeat:mysql \
params replication_user=admin ...
If you want to set a password for the above mydb resource, use the following commands:
crm resource secret mydb set passwd linux
INFO: syncing /var/lib/heartbeat/lrm/secrets/mydb/passwd to [your node list]
You can get the saved password back with:
crm resource secret mydb show passwd
linux
Note that the parameters need to be synchronized between nodes; the crm resource secret command will take care of that. We
highly recommend to only use this command to manage secret parameters.
Example:-
------------------------------------------------------------
# crm configure
crm(live)configure# show
primitive orcl_db oracle \
meta is-managed=true \
operations $id=orcl_db-operations \
op monitor interval=120 timeout=30 \
op start interval=0 start-delay=30 timeout=120 \
params sid=orcl home="/opt/oracle/product/12cR1/db" monprofile="C##monprof2" monuser="C##monitor2" monpassword=Chrispass2
* * * * * You MUST set up SSH keys between all nodes first! * * * * * *
# crm resource secret orcl_db set monpassword Chrispass2
INFO: syncing /var/lib/heartbeat/lrm/secrets/orcl_db/monpassword to hanode2 ...
# crm resource secret orcl_db show monpassword
Chrispass2
# crm configure
crm(live)configure# show
primitive orcl_db oracle \
meta is-managed=true \
operations $id=orcl_db-operations \
op monitor interval=120 timeout=30 \
op start interval=0 start-delay=30 timeout=120 \
params sid=orcl home="/opt/oracle/product/12cR1/db" monprofile="C##monprof2" monuser="C##monitor2" monpassword="lrm://"
hanode1:/var/lib/heartbeat/lrm/secrets/orcl_db # ls -l
total 8
-rw------- 1 root root 11 Jan 29 06:07 monpassword
-rw------- 1 root root 33 Jan 29 06:07 monpassword.sign
hanode1:/var/lib/heartbeat/lrm/secrets/orcl_db # cat monpassword
Chrispass2
hanode1:/var/lib/heartbeat/lrm/secrets/orcl_db # cat monpassword.sign
023e4811957e0d78e1f758cc6c9d421f
hanode2:/var/lib/heartbeat/lrm/secrets/orcl_db # ls -l
total 8
-rw------- 1 root root 11 Jan 29 06:07 monpassword
-rw------- 1 root root 33 Jan 29 06:07 monpassword.sign
hanode2:/var/lib/heartbeat/lrm/secrets/orcl_db # cat monpassword
Chrispass2
hanode2:/var/lib/heartbeat/lrm/secrets/orcl_db # cat monpassword.sign
023e4811957e0d78e1f758cc6c9d421f
# crm resource secret orcl_db delete monpassword
INFO: syncing /var/lib/heartbeat/lrm/secrets/orcl_db/monpassword to hanode2 ...
Deleted orcl_db option: id=orcl_db-instance_attributes-monpassword name=monpassword
primitive orcl_db oracle \
meta is-managed=true \
operations $id=orcl_db-operations \
op monitor interval=120 timeout=30 \
op start interval=0 start-delay=30 timeout=120 \
params sid=orcl home="/opt/oracle/product/12cR1/db" monprofile="C##monprof2" monuser="C##monitor2"
Sensitive parameters can be kept in local files rather than CIB in order to prevent accidental data exposure. Use the secret
command to manage such parameters. stash and unstash move the value from the CIB and back to the CIB respectively. The set
subcommand sets the parameter to the provided value. delete removes the parameter completely. show displays the value of
the parameter from the local file. Use check to verify if the local file content is valid.
Usage:
secret <rsc> set <param> <value>
secret <rsc> stash <param>
secret <rsc> unstash <param>
secret <rsc> delete <param>
secret <rsc> show <param>
secret <rsc> check <param>
Example:
secret fence_1 show password
secret fence_1 stash password
secret fence_1 set password secret_value
Before using secret, better run the show command first to get an overview of all your resources:
crm configure show
primitive mydb ocf:heartbeat:mysql \
params replication_user=admin ...
If you want to set a password for the above mydb resource, use the following commands:
crm resource secret mydb set passwd linux
INFO: syncing /var/lib/heartbeat/lrm/secrets/mydb/passwd to [your node list]
You can get the saved password back with:
crm resource secret mydb show passwd
linux
Note that the parameters need to be synchronized between nodes; the crm resource secret command will take care of that. We
highly recommend to only use this command to manage secret parameters.
Example:-
------------------------------------------------------------
# crm configure
crm(live)configure# show
primitive orcl_db oracle \
meta is-managed=true \
operations $id=orcl_db-operations \
op monitor interval=120 timeout=30 \
op start interval=0 start-delay=30 timeout=120 \
params sid=orcl home="/opt/oracle/product/12cR1/db" monprofile="C##monprof2" monuser="C##monitor2" monpassword=Chrispass2
* * * * * You MUST set up SSH keys between all nodes first! * * * * * *
# crm resource secret orcl_db set monpassword Chrispass2
INFO: syncing /var/lib/heartbeat/lrm/secrets/orcl_db/monpassword to hanode2 ...
# crm resource secret orcl_db show monpassword
Chrispass2
# crm configure
crm(live)configure# show
primitive orcl_db oracle \
meta is-managed=true \
operations $id=orcl_db-operations \
op monitor interval=120 timeout=30 \
op start interval=0 start-delay=30 timeout=120 \
params sid=orcl home="/opt/oracle/product/12cR1/db" monprofile="C##monprof2" monuser="C##monitor2" monpassword="lrm://"
hanode1:/var/lib/heartbeat/lrm/secrets/orcl_db # ls -l
total 8
-rw------- 1 root root 11 Jan 29 06:07 monpassword
-rw------- 1 root root 33 Jan 29 06:07 monpassword.sign
hanode1:/var/lib/heartbeat/lrm/secrets/orcl_db # cat monpassword
Chrispass2
hanode1:/var/lib/heartbeat/lrm/secrets/orcl_db # cat monpassword.sign
023e4811957e0d78e1f758cc6c9d421f
hanode2:/var/lib/heartbeat/lrm/secrets/orcl_db # ls -l
total 8
-rw------- 1 root root 11 Jan 29 06:07 monpassword
-rw------- 1 root root 33 Jan 29 06:07 monpassword.sign
hanode2:/var/lib/heartbeat/lrm/secrets/orcl_db # cat monpassword
Chrispass2
hanode2:/var/lib/heartbeat/lrm/secrets/orcl_db # cat monpassword.sign
023e4811957e0d78e1f758cc6c9d421f
# crm resource secret orcl_db delete monpassword
INFO: syncing /var/lib/heartbeat/lrm/secrets/orcl_db/monpassword to hanode2 ...
Deleted orcl_db option: id=orcl_db-instance_attributes-monpassword name=monpassword
primitive orcl_db oracle \
meta is-managed=true \
operations $id=orcl_db-operations \
op monitor interval=120 timeout=30 \
op start interval=0 start-delay=30 timeout=120 \
params sid=orcl home="/opt/oracle/product/12cR1/db" monprofile="C##monprof2" monuser="C##monitor2"
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7018546
- Creation Date: 30-Jan-2017
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise High Availability Extension
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
