+++ This bug was initially created as a clone of Bug #1793860 +++

Description of problem:
There is no way to store passwords and other values outside the CIB.
In crmsh there is such functionality:

crm resource secret <rsc> set <param> <value>

Version-Release number of selected component (if applicable):
pacemaker-2.0.2-3.el8_1.2.x86_64.rpm

How reproducible:
Always

Steps to Reproduce:

There are no such functionality.

Actual results:
All passwords are in CIB.

Expected results:
To be able to stash in/out any parameter in/out of CIB

— Additional comment from Ken Gaillot on 2020-02-14 22:57:37 UTC —

QA: This feature allows users to set sensitive resource parameter values in a separate file outside the pacemaker CIB. The file must be kept in sync across all nodes. Under the hood, it looks like this:

• Sensitive values are replaced with 'lrm://' in the CIB
• The actual value is stored in a plain text file /var/lib/pacemaker/lrm/secrets/<resource-id>/<parameter-name>
• Each secrets file has a corresponding <filename>.sign file with an MD-5 hash of the secret

The user does not manage these directly, but via the cibsecret tool. cibsecret requires that Pacemaker is running on the local node, and that all active nodes are reachable via pssh, pdsh, or ssh. If any nodes are not active when the command is run, "cibsecret sync" must be run later when they are active to keep the secrets in sync.

cibsecret is used like this:

cibsecret set <resource-id> <parameter-name> <value>
-> If you want a parameter to be secret from the beginning, this will create a local secret file and hash file for the given resource parameter, sync the files to all active nodes, then set the parameter value in the CIB to 'lrm://'.

cibsecret get <resource-id> <parameter-name>
-> This shows the local value of the given resource parameter if it is set as a secret.

cibsecret delete <resource-id> <parameter-name>
-> If the given resource parameter is a secret, this removes the parameter from the CIB entirely and removes the secret files.

cibsecret stash <resource-id> <parameter-name>
-> If you have an existing parameter directly in the CIB that you want to convert into a secret, this takes the existing value and does the equivalent of "cibsecret set".

cibsecret unstash <resource-id> <parameter-name>
-> If you have an existing secret parameter that you want to be directly in the CIB again, this puts the secret value directly in the CIB and gets rid of the secret files.

cibsecret sync
-> This synchronizes all secret files from the local node to all other active nodes.

cibsecret check <resource-id> <parameter-name>
-> This compares the value of a secret file with its hash. The hash is mainly intended to discourage manual editing of the secret file, though it could also detect file corruption.

###

pcs will need an interface for the above "cibsecret" commands. To build pacemaker to test, run ./configure with the --with-cibsecrets option.

A twist is that cibsecret currently uses ssh to synchronize files across nodes. pcsd could do this itself more conveniently, but currently cibsecret doesn't offer any way to skip that.

cibsecret is a shell script (tools/cibsecret.in in the source repo), so you can see what it's doing under the hood. E.g. for "set" it first creates the secret file and hash file locally, then syncs them to all nodes, then updates the CIB to use it.

Either pcs could implement all of what cibsecret does directly, or we could add new options to cibsecret to do the steps separately, and pcs could handle just the sync part itself. pcs could also impose more requirements e.g. that all nodes be active unless --force is given. Take a look and let me know what you need; we can do pacemaker changes as part of Bug 1793860 if necessary.