[PUP-9585] Do not output password for user type if it is marked Sensitive Created: 2019/03/28  Updated: 2019/09/16  Resolved: 2019/08/12

Status: Resolved
Project: Puppet
Component/s: None
Affects Version/s: None
Fix Version/s: PUP 5.5.17, PUP 6.4.4, PUP 6.8.0

Type: Improvement Priority: Normal
Reporter: Kris Bosland Assignee: Kris Bosland
Resolution: Fixed Votes: 0
Labels: resolved-issue-added
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
is duplicated by PUP-9692 hiera explain should redact values co... Reopened
Acceptance Criteria:

Passwords for the user type are output in Debug logging, even if the value is marked Sensitive.  Instead, this should be written as "[redacted]" in the log.

Epic Link: Redacting Sensitive Data
Team: Coremunity
Sprint: Platform Core KANBAN
Release Notes: Bug Fix
Release Notes Summary: User providers will not output exec command lines with passwords during debugging level logging.
QA Risk Assessment: Needs Assessment


Reproduction steps:

$ cat foo.pp
class foo {
  user {'foo':
    ensure => present,
    password => Sensitive("foo")
include foo


puppet apply foo.pp --debug


Info: Applying configuration version '8ef5cbfc620ff86bc1c8c02a56c5dc16d3630db4'
Debug: Executing: '/sbin/useradd -p foo -M foo'


Comment by Josh Cooper [ 2019/08/06 ]

Merged to 5.5.x in https://github.com/puppetlabs/puppet/commit/bc7b9de55162b496751f95b9993c0d2acf59a9de

Comment by Josh Cooper [ 2019/08/12 ]

Passed CI in 8df45b80bb

Generated at Tue Jul 14 19:18:24 PDT 2020 using Jira 8.5.2#805002-sha1:a66f9354b9e12ac788984e5d84669c903a370049.