Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Are conditionals in salt stack pillar templates secure?

Tags:

salt-stack

I recently saw the following construction in a salt pillar in a thread here

/srv/pillar/ssh.sls:

ssh_certs:
{% if grains['fqdn'] == 'server1.example.com' %}
    dsa: |
        -----BEGIN DSA PRIVATE KEY-----
        {# key text goes here with consistant indentation... #}
        -----END DSA PRIVATE KEY-----
    ecdsa: |
        -----BEGIN ECDSA PRIVATE KEY-----
        {# key text goes here with consistant indentation... #}
        -----END ECDSA PRIVATE KEY-----
    rsa: |
        -----BEGIN RSA PRIVATE KEY-----
        {# key text goes here with consistant indentation... #}
        -----END RSA PRIVATE KEY-----
{% elif grains['fqdn'] == 'server2.example.com' %}
    # same as above but with different key texts of course....
{% endif %}

This pillar was then distributed in the top file via the * glob to all nodes in the cluster.

Question:

Since our unevaluated template contains all of the private keys for our entire cluster, how secure is this?

I believe that the minions evaluate their own salt formulae. If they evaluate their own pillars as well, then they would temporarily be given the private keys for every node in the cluster!

If I somehow gained access to server2.example.com, would I be able to dig up the uncompiled template?

Another way to ask this question would be: where does pillar template evaluation take place?

like image 225
gepoch Avatar asked Apr 10 '14 22:04

gepoch


People also ask

What is pillar in Salt stack?

Salt pillar is a system that lets you define secure data that are 'assigned' to one or more minions using targets. Salt pillar data stores values such as ports, file paths, configuration parameters, and passwords.

What is Highstate in SaltStack?

A “highstate” is a way for Salt to dynamically determine which Salt Formulas should be applied to a certain minion. To start with you execute a “highstate” like this: salt 'minion01' state.highstate. This command causes the Minion to download and examine a file from the Salt Master called the “top file”.

What is top SLS?

In Salt, the file which contains a mapping between groups of machines on a network and the configuration roles that should be applied to them is called a top file . Top files are named top. sls by default and they are so-named because they always exist in the "top" of a directory hierarchy that contains state files.

What is a salt column?

A salt dome is a mound or column of salt that has intruded upwards into overlying sediments.


1 Answers

Pillar data is compiled on the Salt Master and the Pillar dictionary is sent encrypted directly to each Salt Minion. So there's no chance that each minion got the entirety of that pillar file.

That being said, a Minion's grains could be tampered with. The only absolute you have is the minion's id. The minion ID can't be tampered with without causing the minion's authentication being rejected.

like image 106
Utah_Dave Avatar answered Sep 19 '22 17:09

Utah_Dave