Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide an option to not display value for some events? #86

Closed
zoredache opened this issue Jul 2, 2014 · 10 comments
Closed

Provide an option to not display value for some events? #86

zoredache opened this issue Jul 2, 2014 · 10 comments
Labels
question wont-fix

Comments

@zoredache
Copy link

Within my puppet manifests I have code like so. The actual password is coming from encrypted storage though.

user{'localadmin'
    password=>'theplaintextpassword',
    provider=>'windows_adsi';
}

The problem of course is that when the above is applied to a system, it gets logged into puppetdb. Then it gets displayed for everyone with access puppetboard to see. The json for the specific event is below.

{
  "containment-path" : [ "Stage[main]", "Localauth", "Localauth::User[localadmin]", "User[localadmin]" ],
  "new-value" : "theplaintextpassword",
  "containing-class" : "Localauth",
  "report-receive-time" : "2014-07-02T22:08:31.286Z",
  "report" : "1892d84ef0bbbd6d909e572782f360d21598e1eb",
  "resource-title" : "localadmin",
  "property" : "password",
  "file" : "/srv/puppet/environments/win_production/modules/localauth/manifests/user.pp",
  "old-value" : "absent",
  "run-start-time" : "2014-07-02T22:06:42.286Z",
  "line" : 22,
  "status" : "success",
  "run-end-time" : "2014-07-02T22:08:15.428Z",
  "resource-type" : "User",
  "timestamp" : "2014-07-02T22:08:02.318Z",
  "configuration-version" : "1404338814",
  "certname" : "thecomputer.example.org",
  "message" : "created password"
},

It sure would be nice to have some way in puppetboard to set some kind of filter on the server if an event has "resource-type" : "User", and "property" : "password", then the old and new values are hidden from the display.

I suspect this would also be useful for other types of resources where a secret would be displayed as part of the new/old value.
@daenney
Copy link
Member

daenney commented Jul 3, 2014

The problem here is that we can't possibly keep a list around of resource types to obfuscate so we'd have to be a whole lot more clever about it.

As far as the user type goes, what I would do instead is generate the hash of the password and pass that in. The formats for /etc/passwd are well documented. This would mediate the issue as seeing the hash will not tell you the password.

Scrubbing the output in Puppetboard still means that the data itself is stored in PuppetDB and others can still query for it though a variety of other tools.

@href
Copy link
Contributor

href commented Jul 3, 2014

I face the same issue. As long as you're managing passwords or other sensitive information for something that supports hashed passwords it's fine. But many of our deployments don't have that option. For example, a script sending an e-mail through smtp needs the password in cleartext.

There are ways to work around this issue and I made sure our puppetboard does not support custom queries and can only be accessed using a good password from inside our network, but it still leaves an uneasy feeling.

However, I feel like this is something that should be solved on the Puppet/PuppetDB level. Ideally, one could mark certain properties as sensitive inside of Puppet, which would lead to them not being stored.

@daenney
Copy link
Member

daenney commented Jul 3, 2014

Lets see if @kbarber has an idea on the subject because I tend to agree that it's not an issue that should be solved client side. However, I can imagine that not being able to store the entry and retrieve it as such could cause a heap of trouble for other things, exported resources being one.

@stack72
Copy link
Contributor

stack72 commented Jul 3, 2014

Just to chime in here, we use hiera-eyaml to encrypt our passwords etc. but the plain text is still kept in puppetdb

@daenney
Copy link
Member

daenney commented Jul 3, 2014

Pulling in @senior too.

@senior
Copy link

senior commented Jul 3, 2014

Seems to me the feature that you're wanting (on the PuppetDB side) is a user with a role that omits certain resources (or parameters of a resource). Puppetboard could query as that user and that stuff would be removed before Puppetboard even saw the results.

This is something we have talked about but don't currently have on the roadmap. When I was looking through our tickets, I found an access control ticket, but it's focus was more around walling off environments. I've created a new ticket that we can use to catch the requirements of this feature. I've made a note of this discussion, but feel free to comment if you have additional ideas.

@zoredache
Copy link
Author

I wasn't sure if puppetboard was the correct place for this. I am not sure puppetdb is the right place either. I almost wish the individual providers within puppet would have some control over reporting in the resource directly. It sure seems like it would make a lot of sense if the windows_adsi User provider had a way to opt out of providing the new/old values as part of the reports.

daenney: This would mediate the issue as seeing the hash will not tell you the password.

You cannot pre-hash the password when using the windows_adsi provider, the password must be provided as plain text. Plus this was just an example. I have other resources that also reporting values I wish would remain secret, or at least hidden from reports. I was kind of hoping for some kind of generic filter where I could just configure puppetboard to not display values for a given "resource-type". But it also make sense to try working on fixing this as close to the source of the problem as possible first.

@daenney
Copy link
Member

daenney commented Jul 4, 2014

You cannot pre-hash the password when using the windows_adsi provider, the password must be provided as plain text.

I know :( and that greatly bothers me. I'd have hoped that by 2014 we would have API's that allowed us to pass in pre-hashed passwords everywhere. Storing passwords in plain text for so many things is a big no no, unfortunately it still applies to systems management.

I was kind of hoping for some kind of generic filter where I could just configure puppetboard to not display values for a given "resource-type".

I'll have a look at how Django does this, perhaps I can shove in some kind of anonymisation middleware that you can configure with a bunch of regexes.

I almost wish the individual providers within puppet would have some control over reporting in the resource directly.

Totally.

@corey-hammerton corey-hammerton mentioned this issue May 18, 2016
Closed
@pckroon
Copy link

pckroon commented Aug 17, 2016

I apologize for my necromancy, but it appears that this will be fixed in puppet. I haven't read through all the bugs/fixes referenced, but maybe it's in a workable state already.
https://tickets.puppetlabs.com/browse/PUP-6433

@juniorsysadmin
Copy link
Member

The Sensitive data type is in 4.6.1 , Puppetdb might be oblivious to it though:
https://www.devco.net/archives/2016/09/05/puppet-4-sensitive-data-types.php

b4ldr pushed a commit to b4ldr/puppetboard that referenced this issue Feb 19, 2020
@corey-hammerton
pypuppetdb/api/__init__/_url: URL Escaping special characters passed …
35ba410 
…as additional path arguments (voxpupuli#86)

This fixes voxpupuli/pypuppetdb#67

If a query with a passed path argument will be subject to a urllib quote
to escape special characters.
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question wont-fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@senior @stack72 @href @zoredache @daenney @juniorsysadmin @pckroon