safeshare

Installs Covata Safe Share.

Covata

covata

19,009 downloads

5,290 latest version

3.1 quality score

Version information

  • 3.5.10 (latest)
  • 3.5.9
  • 3.5.8
  • 3.5.7
  • 3.5.6
  • 3.5.5
  • 3.5.4
  • 3.5.3
  • 3.5.2
  • 3.5.1
  • 3.5.0
  • 3.4.1
  • 3.4.0
  • 3.3.6
  • 3.3.5
  • 3.3.4
  • 3.3.3
  • 3.3.1
  • 3.3.0
  • 3.2.5
  • 3.2.4
  • 3.2.3
  • 3.2.2
  • 3.2.1
  • 3.2.0
  • 3.1.7
  • 3.1.6
  • 3.1.5
  • 3.1.4
  • 3.1.3
  • 3.1.2
  • 3.1.1
  • 3.1.0
  • 3.0.7
  • 3.0.6
  • 3.0.5
  • 3.0.4
  • 3.0.3
  • 3.0.2
  • 3.0.1
  • 3.0.0
released Sep 13th 2017
This version is compatible with:
  • Puppet Enterprise >= 3.0.0 < 2015.3.0
  • Puppet >= 3.0.0 < 4.0.0
  • RedHat
    ,
    CentOS
    ,
    Ubuntu

Start using this module

Documentation

covata/safeshare — version 3.5.10 Sep 13th 2017

safeshare puppet module

Table of Contents

  1. Description
  2. Setup
  3. Usage
  4. Reference
  5. Limitations

Description

This module installs and configures the Covata SafeShare version 3 and above on Ubuntu 14.04 or CentOS/RHEL 6/7 Linux servers.

An example Puppet manifest which uses this module can be found in Bitbucket.

Setup

Setup Requirements

  • Postgresql 9.3, with the following roles:

    • so3 (with CREATE_DB and CREATE_ROLE permission)
    • so3app
    • access_service_app_blue

    For security reasons, we recommend that the so3 user (credentials for schema updates) should not have the same password as so3app and access_service_app_blue (credentials for application).

  • Rabbitmq 3.5

  • (optional) AWS S3 buckets (if local storage is not used for the content service)

Also, it's expected that all nodes with Safe Share have OpenJDK 8 installed and the java command is on the path.

Beginning with safeshare

Every node which installs a Safe Share component should have the following:

  class { '::safeshare::globals':
     repo_token => 'unique_repository_token',
  }

This configures the yum or apt repository and any other required global configuration.

Note that in order to be able to retrieve Safe Share installation packages you need a repository token. It is generated by Covata for each customer. If you are a customer and didn't receive a token, contact repository-token@covata.com and request yours.

The token shouldn't be committed in clear text, like any other secret. Options for storing it encrypted in VCS would include eyaml, BlackBox.

Other options are passing an alternative repository to download the packages; or provide the packages using some other repository configured in your puppet tree.

Usage

There are three subclasses to be used:

  • safeshare::content_service - for storing and recovering encrypted data
  • safeshare:access_service_migration - for the migration of the database schema during upgrades
  • access_service - for authorization and authentication, also includes a web client for modern browsers.

While they could technically be installed on the same machine, we advise you to keep them on separate servers.

Using safeshare:access_service_migration

You should only install this module on one machine. safeshare::access_service_migration should be called after postgresql and OpenJDK8 are properly installed.

We recommend keeping the database migration on the same machine as your database. This is not a service, but rather a executable which will update the database schema when a new version of the access service is installed.

  class { '::safeshare::access_service_migration':
    version            => '3.0.994-1',
    access_service_url => 'http://url-access-service.xycompany.com',
    database_password  => 'p4ssw0rd_for_so3_user_in_postgresql',
    require            => Class['::java'],
  }

The version parameter should have the same value as safeshare::access_service::version.

Using safeshare:access_service

You can have multiple access service nodes, to improve performance or for high availability. On that case, you'll need to configure a load balancer as usual in front of those nodes.

It should be called after OpenJDK8 is properly installed.

  class { '::safeshare::access_service':
    version                   => '3.0.994-1',
    database_hostname         => 'url-postgres-service.xycompany.com',
    database_username         => 'so3app',
    database_password         => 'p4ssw0rd_for_so3app_user_in_postgresql',
    access_service_url        => 'http://url-access-service.xycompany.com',
    content_service_url       => 'http://url-content-service.xycompany.com',
    master_encryption_key     => 'rand0mmasterkey',
    bearer_signing_key        => 'r4and0m_string_for_communication_with_content_service',
    jwt_signing_key           => 'rand0msigningkey',
    rabbitmq_user_name        => 'rabbitmq_username',
    rabbitmq_password         => 'r4bb1tmq_password',
    rabbitmq_host             => 'url-to-rabbitmq.xycompany.com',
    require                   => Class['::java'],
  }

Note: bearer_signing_key has to be the same for all access service and content service nodes.

We advise you keep the access service's database in another machine, to facilitate backups and reprovisioning of new Safe Share nodes without losing data.

Using safeshare:content_service

You can have multiple access service nodes, to improve performance or for high availability. On that case, you'll need to configure a load balancer as usual in front of those nodes.

It should be called after OpenJDK8 is properly installed.

  class { '::safeshare::content_service':
    version            => '3.0.114-1',
    access_service_url => 'http://url-access-service.xycompany.com',
    data_bucket        => 'folder-for-data-bucket',
    readonly_bucket    => 'folder-for-readonly-data-bucket',
    bearer_signing_key => 'r4and0m_string_for_communication_with_access_service',
    rabbitmq_host      => 'url-to-rabbitmq.xycompany.com',
    rabbitmq_user_name => 'rabbitmq_username',
    rabbitmq_password  => 'r4bb1tmq_password',
    require            => Class['::java'],
  }

Note: bearer_signing_key has to be the same for all access service and content service nodes you have.

By default, the storage folder for LOCAL storage type will be /var/lib/content-service-storage. If you have multiple content service nodes, you'll need to make sure they are all using a shared folder (e.g. accessing it through NFS, or any other way you prefer).

The other option for storage is using S3, using the type S3COVATA.

We advise you keep the content service's object store in another machine, to facilitate backups and reprovisioning of new Safe Share nodes.

Limitations

Supports Ubuntu 14.04 and CentOS/RHEL 6/7.

This module does not install client software.

This module doesn't install external software dependencies (like Postgresql or rabbitmq).