When the user provider changes a managed users password, the plaintext password is shown in the console even if the password is encrypted in hiera.
1) In PE Console go to report where the password was changed.
2) Click on Events tab
3) Under resource type click user
4) The User resource will show the password in the Changed to column.
- Currently, Puppet will include password value(s) in the resource event logs when they change. This means passwords are written to the reports in plain text (though these reports are only root-readable).
- The Sensitive type was recently added to Puppet, which obscures associated values where applicable. Ostensibly passwords are sensitive information and are applicable for this new type.
- Plumb the Sensitive data type through the Puppet type system as needed, if at all, so that we can:
- Set the password property of the user type to Sensitive. This will then apply to all user providers.