Jira (PUP-9692) Passwords not redacted in debug mode
Title: Message Title Henrik Lindberg commented on PUP-9692 Re: Passwords not redacted in debug mode I think I may have been to quick to close this ticket - the problem with leaked Sensitive is not the same as what I marked as being duplicated. In this case the problem is that when --debug is on, hiera 5 will turn on the --explain support. That leads to a trace of the lookup ending up in the log. Next, since the conversion to Sensitive of a value happens after the value is looked up, the explainer does not know that the value will later be transformed to Sensitive. This may be difficult to fix, and would to an extent reduce the usefulness of the explain output as it would be harder to debug lookups. Ping Josh Cooper Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9692) Passwords not redacted in debug mode
Title: Message Title Henrik Lindberg commented on PUP-9692 Re: Passwords not redacted in debug mode Sanjay Tripathi Please do file a separate ticket for the error you are getting. Do note, that what you are doing will not work anyway since if you interpolate a Sensitive value it will produce the text "redacted" and that is what your db password would be set to. In order to set the actual value (not the value interpolated into a string) you must use the hiera alias function instead of hiera. When you post the new ticket, please include a stacktrace. Also include information about the hiera backends you are using - I suspect this comes from a hiera 3 (deprecated) backend because it reports an error for a Hiera::Scope, which I don't think is used in hiera 5. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9692) Passwords not redacted in debug mode
Title: Message Title Sanjay Tripathi commented on PUP-9692 Re: Passwords not redacted in debug mode Hi Henrik, Should there be a separate ticket for the problem 2 – Lookup of key failed: The convert_to lookup_option for key 'my_con_pwd' raised error: undefined method `call_function' for #? Thanks. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9692) Passwords not redacted in debug mode
Title: Message Title Sanjay Tripathi commented on PUP-9692 Re: Passwords not redacted in debug mode Thanks, Hendrick. Is there an ETA for the fix? We need it urgently. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9692) Passwords not redacted in debug mode
Title: Message Title Henrik Lindberg updated an issue Puppet / PUP-9692 Passwords not redacted in debug mode Change By: Henrik Lindberg Priority: Critical Normal Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9692) Passwords not redacted in debug mode
Title: Message Title Henrik Lindberg updated an issue Puppet / PUP-9692 Passwords not redacted in debug mode Change By: Henrik Lindberg Component/s: Hiera & Lookup Component/s: Types and Providers Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9692) Passwords not redacted in debug mode
Title: Message Title Henrik Lindberg commented on PUP-9692 Re: Passwords not redacted in debug mode Sanjay Tripathi All tickets gets looked at. The automatic selection of assignee in this case was based on the input "hiera and lookup" - which is not where the issue is, so it went back into the pool of Open tickets (which means tickets that needs to be looked at by someone). Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9692) Passwords not redacted in debug mode
Title: Message Title Sanjay Tripathi commented on PUP-9692 Re: Passwords not redacted in debug mode Hello, Why is this ticket unassigned? Will it not be looked at? Thanks. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9692) Passwords not redacted in debug mode
Title: Message Title Thomas Hallgren assigned an issue to Unassigned Puppet / PUP-9692 Passwords not redacted in debug mode Change By: Thomas Hallgren Assignee: Thomas Hallgren Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9692) Passwords not redacted in debug mode
Title: Message Title
Sanjay Tripathi commented on PUP-9692
Re: Passwords not redacted in debug mode
Problem 1: When puppet agent is run with --debug option, passwords get logged in plain-text, although the passwords are stored encrypted in the yaml. Example: 2019-05-03 15:58:36 -0700 Puppet (debug): Lookup of 'my_con_pwd' Searching for "my_con_pwd" Global Data Provider (hiera configuration version 3) Using configuration "/home/tstuser/puppet/hiera.yaml" Hierarchy entry "eyaml" Path "/home/tstuser/puppet/production/data/defaults.yaml" Original path: "defaults" No such key: "my_con_pwd" Path "/home/tstuser/puppet/production/data/my_prod_config.yaml" Original path: "my_prod_config." Found key: "my_con_pwd" value: "MyT3stP" The password is not redacted even if lookup_options is added for this data, with convert_to: Sensitive – The lookup_options is set in common.yaml like: lookup_options: "^*my_con_pwd": convert_to:
"Sensitive"
Puppet seems to detect that this data is sensitive, because it displays the following message after the lookup: Applying convert_to lookup_option with arguments [Sensitive] But the value is not redacted, as shown in the log snippet. Problem 2: If lookup_option is configured as shown above but this data is interpolated for another setting in a list, like: my_env_list: db_settings: db_pwd: "%{hiera('my_con_pwd')}" then the following error occurs: 2019-05-03 16:11:26 -0700 Puppet (err): Evaluation Error: Error while evaluating a Function Call, Lookup of key failed: The convert_to lookup_option for key 'my_con_pwd' raised error: undefined method `call_function' for # Please let me know if there is any other way to redact passwords when --debug is used. Although this occurs only when --debug is passed, it is not acceptable security practice.
Add Comment
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Jira (PUP-9692) Passwords not redacted in debug mode
Title: Message Title
Sanjay Tripathi created an issue
Puppet / PUP-9692
Passwords not redacted in debug mode
Issue Type:
Bug
Affects Versions:
PUP 4.10.0, PUP 5.5.z
Assignee:
Thomas Hallgren
Components:
Hiera & Lookup
Created:
2019/05/03 4:48 PM
Environment:
Problem 1: When puppet agent is run with --debug option, passwords get logged in plain-text, although the passwords are stored encrypted in the yaml. Example: 2019-05-03 15:58:36 -0700 Puppet (debug): Lookup of 'my_con_pwd' Searching for "my_con_pwd" Global Data Provider (hiera configuration version 3) Using configuration "/home/tstuser/puppet/hiera.yaml" Hierarchy entry "eyaml" Path "/home/tstuser/puppet/production/data/defaults.yaml" Original path: "defaults" No such key: "my_con_pwd" Path "/home/tstuser/puppet/production/data/my_prod_config.yaml" Original path: "my_prod_config." Found key: "my_con_pwd" value: "MyT3stP" The password is not redacted even if lookup_options is added for this data, with convert_to: Sensitive – The lookup_options is set in common.yaml like: lookup_options: "^*my_con_pwd": convert_to:
"Sensitive"
Puppet seems to detect that this data is sensitive, because it displays the following message after the lookup: Applying convert_to lookup_option with arguments [Sensitive] But the value is not redacted, as shown in the log snippet. Problem 2: If lookup_option is configured as shown above but this data is interpolated for another setting in a list, like: my_env_list: db_settings: db_pwd: "%{hiera('my_con_pwd')}" then the following error occurs: 2019-05-03 16:11:26 -0700 Puppet (err): Evaluation Error: Error while evaluating a Function Call, Lookup of key failed: The convert_to lookup_option for key 'my_con_pwd' raised error: undefined method `call_function' for # Please let me know if there is any other way to redact passwords when --debug is used. Although this occurs only when --debug is passed, it is not acceptable security practice.
Priority:
Critical
