Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-8856

dsc: credentials should be redacted

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Normal
    • Resolution: Fixed
    • None
    • None
    • dsc, dsc_lite
    • None
    • MODULES Bug Template
    • Windows
    • 1
    • Windows 2019-04-17
    • Needs Assessment
    • 35043
    • 1
    • Needs Assessment

    Description

      Basic Info
      Module Version: dsc and dsc-lite
      Puppet Version: 5.5.x and up
      OS Name/Version: Windows

      The DSC and DSC-lite modules both evaluate an ERB script containing powershell and in the process interpolate credentials needed to manage resources such as the dsc_user. However, when running with puppet agent -td, the powershell script with interpolated credentials is output to the console and captured in the report. For example, given the manifest:

      dsc_user { 'jane-doe':
        dsc_username             => 'jane-doe',
        dsc_description          => 'Jane Doe user',
        dsc_ensure               => present,
        dsc_password             => {
          'user' => 'jane-doe',
          'password' => Sensitive('jane-password')
        },
        dsc_passwordneverexpires => false,
        dsc_disabled             => true,
      }
      

      results in:

      C:\> puppet apply --debug manifest.pp
      ...
         password = [PSCustomObject]@{'user' = 'jane-doe'; 'password' = 'jane-password'} | new-pscredential
      

      We should not expose credentials, which I think realistically means we shouldn't emit the powershell script to stdout/console.

      Attachments

        Issue Links

          Activity

            People

              michael.lombardi Michael Lombardi
              josh Josh Cooper
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support