Manage resources leaks API password in resource types #440
Labels
enhancement
New feature or request
Comments
|
An alternative might be to use the Sensitive Data type: https://docs.puppet.com/puppet/4.6/lang_data_sensitive.html |
|
ccing @roidelapluie for comment |
|
Yes ; immediately we should use sensitive data type and in next major release switch to auth file. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently the way
zabbix_hostis configured, it will inject$zabbix_api_passinto the resource with the property namezabbix_pass. This results in a password leak when puppet reports / resources can be inspected by third parties. At our setup, we run puppetboard without authentication. Other packages don't put clear text passwords in reports and resources, so this setup mostly works for us.Affected Puppet, Ruby, OS and module versions/distributions
How to reproduce (e.g Puppet code you use)
What are you seeing
When running the following PQL, the result includes the API credentials:
What behaviour did you expect instead
No passwords being logged.
Any additional information you'd like to impart
Other modules (e.g. puppetlabs/mongodb) write the credentials to a file (
~/.mongorc.js). This way, there's no need to communicate the credentials through the resources.The text was updated successfully, but these errors were encountered: