Comments (10)
The problem here is that we can't possibly keep a list around of resource types to obfuscate so we'd have to be a whole lot more clever about it.
As far as the user type goes, what I would do instead is generate the hash of the password and pass that in. The formats for /etc/passwd
are well documented. This would mediate the issue as seeing the hash will not tell you the password.
Scrubbing the output in Puppetboard still means that the data itself is stored in PuppetDB and others can still query for it though a variety of other tools.
from puppetboard.
I face the same issue. As long as you're managing passwords or other sensitive information for something that supports hashed passwords it's fine. But many of our deployments don't have that option. For example, a script sending an e-mail through smtp needs the password in cleartext.
There are ways to work around this issue and I made sure our puppetboard does not support custom queries and can only be accessed using a good password from inside our network, but it still leaves an uneasy feeling.
However, I feel like this is something that should be solved on the Puppet/PuppetDB level. Ideally, one could mark certain properties as sensitive inside of Puppet, which would lead to them not being stored.
from puppetboard.
Lets see if @kbarber has an idea on the subject because I tend to agree that it's not an issue that should be solved client side. However, I can imagine that not being able to store the entry and retrieve it as such could cause a heap of trouble for other things, exported resources being one.
from puppetboard.
Just to chime in here, we use hiera-eyaml to encrypt our passwords etc. but the plain text is still kept in puppetdb
from puppetboard.
Pulling in @senior too.
from puppetboard.
Seems to me the feature that you're wanting (on the PuppetDB side) is a user with a role that omits certain resources (or parameters of a resource). Puppetboard could query as that user and that stuff would be removed before Puppetboard even saw the results.
This is something we have talked about but don't currently have on the roadmap. When I was looking through our tickets, I found an access control ticket, but it's focus was more around walling off environments. I've created a new ticket that we can use to catch the requirements of this feature. I've made a note of this discussion, but feel free to comment if you have additional ideas.
from puppetboard.
I wasn't sure if puppetboard was the correct place for this. I am not sure puppetdb is the right place either. I almost wish the individual providers within puppet would have some control over reporting in the resource directly. It sure seems like it would make a lot of sense if the windows_adsi
User provider had a way to opt out of providing the new/old values as part of the reports.
daenney: This would mediate the issue as seeing the hash will not tell you the password.
You cannot pre-hash the password when using the windows_adsi
provider, the password must be provided as plain text. Plus this was just an example. I have other resources that also reporting values I wish would remain secret, or at least hidden from reports. I was kind of hoping for some kind of generic filter where I could just configure puppetboard to not display values for a given "resource-type". But it also make sense to try working on fixing this as close to the source of the problem as possible first.
from puppetboard.
You cannot pre-hash the password when using the windows_adsi provider, the password must be provided as plain text.
I know :( and that greatly bothers me. I'd have hoped that by 2014 we would have API's that allowed us to pass in pre-hashed passwords everywhere. Storing passwords in plain text for so many things is a big no no, unfortunately it still applies to systems management.
I was kind of hoping for some kind of generic filter where I could just configure puppetboard to not display values for a given "resource-type".
I'll have a look at how Django does this, perhaps I can shove in some kind of anonymisation middleware that you can configure with a bunch of regexes.
I almost wish the individual providers within puppet would have some control over reporting in the resource directly.
Totally.
from puppetboard.
I apologize for my necromancy, but it appears that this will be fixed in puppet. I haven't read through all the bugs/fixes referenced, but maybe it's in a workable state already.
https://tickets.puppetlabs.com/browse/PUP-6433
from puppetboard.
The Sensitive data type is in 4.6.1 , Puppetdb might be oblivious to it though:
https://www.devco.net/archives/2016/09/05/puppet-4-sensitive-data-types.php
from puppetboard.
Related Issues (20)
- memcached enabled and 'Error: no memcache module found'
- Localize timezones on dailyReportsChart
- Regular expressions in the node tab
- Add OpenShift Template to build Puppetboard
- The PUPPETBOARD_URL_PREFIX does not set flask's APPLICATION_ROOT
- system_uptime structured fact does not sort correctly
- Puppetboard 4.3.0 very slow with Chrome Dark Reader extension HOT 1
- Unable to setup puppetboard on ubuntu HOT 1
- Inventory tab feature legacy facts HOT 2
- puppetboard fails to start with scheduler enabled
- [BUG] applied changes during puppet run show empty on puppetboard if containing xml HOT 1
- puppetboard fails to start because module 'flask.json' has no attribute 'JSONEncoder'
- Setting GRAPH_FACTS causes a 500 error
- Intermittent errors after PuppetDB 8.0 to 8.1 upgrade HOT 13
- better support structured facts HOT 2
- Facts only showing RedHat HOT 1
- Pattern for python_version do not allow 3.11 HOT 3
- Make it More Apparent that SECRET_KEY cannot be blank HOT 3
- Allow puppetboard to start without a running puppetdb
- Offline mode tries to load external resources HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from puppetboard.