Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-1974

Theme: Sensitive Data in Catalogs

    XMLWordPrintable

    Details

    • Epic Name:
      Theme: Sensitive Data
    • Template:
    • Team/s:
      Data Platform, Platform Core
    • Sub-team:
    • CS Priority:
      Major
    • CS Frequency:
      3 - 25-50% of Customers
    • CS Severity:
      3 - Serious
    • CS Business Value:
      5 - $$$$$$
    • CS Impact:
      This has become more and more of an issue as time goes on and customers realize secrets are stored in plaintext.

      Description

      THIS IS A CROSS TEAM EPIC - DO NOT PUT IN A SPRINT. EACH TEAM NEEDS SEPARATE EPIC SUPPORTING THIS.

      Sensitive information such as passwords or key files contained within Puppet catalogs leaks into locations such as PuppetDB or syslog. This elevates the necessary security that must be enforced on these external systems.

      It would be valuable to give manifest/module authors the ability to specify resource properties (such as attributes or titles) which are sensitive. Components downstream from the catalog compiler could then choose how to handle sensitive data. For example, the master could redact such fields from the catalog before sending it to PuppetDB. The agent could be configured to obscure sensitive resource titles from the log when they are acted upon.

      One possible way to do this would be the addition of a "sensitive" resource type that is compiled into the catalog. Each instance would specific resource fields to be selected and the preferred means of redaction.

      These changes need to taken I18N support into consideration. The strings we create should use '%{variable}' style formatting to enable i18n string decorations

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              pmooney Patrick Mooney
              QA Contact:
              Eric Thompson
              Votes:
              14 Vote for this issue
              Watchers:
              49 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support