CODEWITHSUNDEEP
salt-project
uvsmtid
uvsmtid

Reputation: 4295

Saltstack distributing secure/sensitive pillar keys privately per each minion

Consider two approaches to distribute selected pillar keys to specific minion.

1. Top-file matcher using minion id.

In this case, top file has to know assignments of pillar sls files to their minions.

/srv/pillar/top.sls:

base:
  'minion_1':
    - key1
  'minion_2':
    - key2

/srv/pillar/key1.sls:

key1: value1

/srv/pillar/key2.sls:

key2: value2

2. Jinja conditional using if/else with minion id.

In this case, top file need to know nothing.

Instead, pillar sls files know themselves which minion can read them.

/srv/pillar/top.sls:

base:
  '*':
    - key1
    - key2

/srv/pillar/key1.sls:

{% if grains['id'] == 'minion_1' %}
key1: value1
{% endif %}

/srv/pillar/key2.sls:

{% if grains['id'] == 'minion_2' %}
key2: value2
{% endif %}

Question

Are there any security preferences using the 1st or the 2nd approach?

Personally, I prefer the 2nd approach - it is more flexible (allows any logic in jinja templates).

While writing this I also clarified an important Salt design aspect - pillar sls files are only compiled on Salt master in either cases (see this answer). Therefore, in both cases minions will never be given all pillar data anyway (to filter, select, and present resulted pillar for state rendering on their own). Compare it with states - AFAIK, they are rendered on minon side.

Upvotes: 1

Views: 1057

Answers (2)

Michael Place
Michael Place

Reputation: 3046

You should NOT use the second approach.

Remember, that grains are insecure and any minion can present itself as having any grain. Evaluating a grain in Jinja, especially to determine access to pillar data effectively bypasses Salt's security model.

Upvotes: 0

Ian Ellis
Ian Ellis

Reputation: 389

IMHO either of those approaches look pretty much the same from a security perspective.

As you say, each salt-minion only sees the pillar data that the salt-master allows it to see.

The 1st approach looks more straightforward, and the grains are supplied by the minions - so if you've got a hacked minion it could see stuff that it shouldn't be able to ......

A bigger security risk is having un-encrypted keys etc hanging around in your pillars (especially if you're sharing them in a git or whatever). Have you seen this? https://docs.saltstack.com/en/latest/ref/renderers/all/salt.renderers.gpg.html, gpg encryption for your pillars.

Been using it for about 4 months without issue.

Upvotes: 1

Related Questions