Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9692

hiera explain should redact values converted to Sensitive in --debug mode

    XMLWordPrintable

Details

    • New Feature
    • Status: Accepted
    • Normal
    • Resolution: Unresolved
    • PUP 4.10.0
    • None
    • Hiera & Lookup
    • 42587
    • 1
    • Needs Assessment

    Description

      When using hiera's convert_to Sensitive, the explain output that is turned on by --debug will include the clear text looked up value as the explainer traces the lookup. Later this value is converted to Sensitive.

      The desire is that such values would be redacted in the log.

      Original Text

      Problem 1:
      When puppet agent is run with --debug option, passwords get logged in plain-text, although the passwords are stored encrypted in the yaml.

      Example:
      2019-05-03 15:58:36 -0700 Puppet (debug): Lookup of 'my_con_pwd'
      Searching for "my_con_pwd"
      Global Data Provider (hiera configuration version 3)
      Using configuration "/home/tstuser/puppet/hiera.yaml"
      Hierarchy entry "eyaml"
      Path "/home/tstuser/puppet/production/data/defaults.yaml"
      Original path: "defaults"
      No such key: "my_con_pwd"
      Path "/home/tstuser/puppet/production/data/my_prod_config.yaml"
      Original path: "my_prod_config."
      Found key: "my_con_pwd" value: "MyT3stP"

      The password is not redacted even if lookup_options is added for this data, with convert_to: Sensitive –

      The lookup_options is set in common.yaml like:

      lookup_options:
      "^*my_con_pwd":
      convert_to:

      • "Sensitive"

      Puppet seems to detect that this data is sensitive,  because it displays the following message after the lookup:

      Applying convert_to lookup_option with arguments [Sensitive]

      But the value is not redacted, as shown in the log snippet.

      Problem 2:
      If lookup_option is configured as shown above but this data is interpolated for another setting in a list, like:
      my_env_list:
        db_settings:
           db_pwd: "%{hiera('my_con_pwd')}"

      then the following error occurs:

      2019-05-03 16:11:26 -0700 Puppet (err): Evaluation Error: Error while evaluating a Function Call, Lookup of key failed: The convert_to lookup_option for key 'my_con_pwd' raised error: undefined method `call_function' for #<Hiera::Scope:0x0000000003a1cab8>

      Please let me know if there is any other way to redact passwords when --debug is used. Although this occurs only when --debug is passed, it is not acceptable security practice.

      Attachments

        Issue Links

          duplicates

          Improvement - An improvement or enhancement to an existing feature or task. PUP-9585 Do not output password for user type if it is marked Sensitive

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. PDK-1068 Resource API is leaking Sensitive parameters when running in Debug Mode

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. PDK-1091 Remove Sensitive data from all log messages

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              sstripathi Sanjay Tripathi
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:

                Zendesk Support