[PUP-9585] Do not output password for user type if it is marked Sensitive Created: 2019/03/28  Updated: 2019/09/16  Resolved: 2019/08/12

Status: Resolved
Project: Puppet
Component/s: None
Affects Version/s: None
Fix Version/s: PUP 5.5.17, PUP 6.4.4, PUP 6.8.0

Type: Improvement Priority: Normal
Reporter: Kris Bosland Assignee: Kris Bosland
Resolution: Fixed Votes: 0
Labels: resolved-issue-added
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by PUP-9692 hiera explain should redact values co... Reopened
Template:
Acceptance Criteria:

Passwords for the user type are output in Debug logging, even if the value is marked Sensitive.  Instead, this should be written as "[redacted]" in the log.

Epic Link: Redacting Sensitive Data
Team: Coremunity
Sprint: Platform Core KANBAN
Release Notes: Bug Fix
Release Notes Summary: User providers will not output exec command lines with passwords during debugging level logging.
QA Risk Assessment: Needs Assessment

 Description   

Reproduction steps:

$ cat foo.pp
class foo {
  user {'foo':
    ensure => present,
    password => Sensitive("foo")
  }
}
 
include foo

 

puppet apply foo.pp --debug

 

Info: Applying configuration version '8ef5cbfc620ff86bc1c8c02a56c5dc16d3630db4'
Debug: Executing: '/sbin/useradd -p foo -M foo'

 



 Comments   
Comment by Josh Cooper [ 2019/08/06 ]

Merged to 5.5.x in https://github.com/puppetlabs/puppet/commit/bc7b9de55162b496751f95b9993c0d2acf59a9de

Comment by Josh Cooper [ 2019/08/12 ]

Passed CI in 8df45b80bb

Generated at Mon Jan 27 10:05:25 PST 2020 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.