Jira (PUP-9644) Improve documentation around sensitive data in puppet

41 views
Skip to first unread message

Rob Braden (JIRA)

unread,
Apr 15, 2019, 12:55:04 PM4/15/19
to puppe...@googlegroups.com
Rob Braden created an issue
 
Puppet / Task PUP-9644
Improve documentation around sensitive data in puppet
Issue Type: Task Task
Assignee: Unassigned
Created: 2019/04/15 9:54 AM
Priority: Normal Normal
Reporter: Rob Braden

Currently, the docs don't accurately reflect the behavior of sensitive data in puppet catalogs. We should update the docs to reduce customer surprise.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Rob Braden (JIRA)

unread,
Apr 15, 2019, 12:55:04 PM4/15/19
to puppe...@googlegroups.com
Rob Braden updated an issue
Change By: Rob Braden
Sprint: Coremunity Grooming

Jorie Tappa (JIRA)

unread,
Jun 10, 2019, 2:46:04 PM6/10/19
to puppe...@googlegroups.com
Jorie Tappa updated an issue
Change By: Jorie Tappa
Component/s: Docs

Jorie Tappa (JIRA)

unread,
Jun 10, 2019, 2:49:03 PM6/10/19
to puppe...@googlegroups.com
Jorie Tappa updated an issue
Change By: Jorie Tappa
Team: Coremunity

Jorie Tappa (JIRA)

unread,
Jun 12, 2019, 4:16:03 PM6/12/19
to puppe...@googlegroups.com
Jorie Tappa updated an issue
Currently, the docs don't accurately reflect the behavior of sensitive data in puppet catalogs. We should update the docs to reduce customer surprise.


Not every provider is supported, so we should be clear which those are and under which circumstances data can be leaked.

Jean Bond (JIRA)

unread,
Jun 17, 2019, 7:48:02 PM6/17/19
to puppe...@googlegroups.com
Jean Bond assigned an issue to Jean Bond
Change By: Jean Bond
Assignee: Jean Bond

Jean Bond (JIRA)

unread,
Jul 25, 2019, 6:04:03 PM7/25/19
to puppe...@googlegroups.com
Jean Bond commented on Task PUP-9644
 
Re: Improve documentation around sensitive data in puppet

Rob Braden, this ticket asks for documentation about what providers are supported, how data can be leaked, and corrections to inaccuracy about sensitive data behavior, but it doesn't provide information about those things. Can you recommend an SME for this ticket?

(I know there's a related ticket, but it's 2+ years old and a whole lot to wade through and parse; if someone can offer more explicit answers, it would be really helpful.)

Josh Cooper (JIRA)

unread,
Sep 17, 2019, 11:28:04 PM9/17/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
 
Change By: Josh Cooper
Sprint: Coremunity Grooming Hopper

Jean Bond (JIRA)

unread,
Jan 3, 2020, 5:09:03 PM1/3/20
to puppe...@googlegroups.com
Jean Bond assigned an issue to Unassigned
Change By: Jean Bond
Assignee: Jean Bond

Josh Cooper (JIRA)

unread,
Jan 13, 2020, 1:09:03 PM1/13/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Coremunity Hopper Grooming

Rob Braden (Jira)

unread,
Apr 20, 2020, 2:07:03 PM4/20/20
to puppe...@googlegroups.com
Rob Braden commented on Task PUP-9644
 
Re: Improve documentation around sensitive data in puppet

We should probably add some clarification that the "core" types and providers make an effort to redact sensitive information, custom types and providers may need to be updated to respect the sensitive flag. For example:
https://github.com/puppetlabs/puppet/blob/f482005b92807a4bdd350e86fa80f2da39c936a2/lib/puppet/util/execution.rb#L159
sets it as 'false' by default, anyone that needs to redact sensitive information from the execution API should pass the value as 'true'
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

Chris Cowell (Jira)

unread,
Jun 3, 2020, 6:08:03 PM6/3/20
to puppe...@googlegroups.com
Chris Cowell assigned an issue to Chris Cowell
 
Change By: Chris Cowell
Assignee: Chris Cowell

Chris Cowell (Jira)

unread,
Jun 3, 2020, 6:18:03 PM6/3/20
to puppe...@googlegroups.com
Chris Cowell commented on Task PUP-9644
 
Re: Improve documentation around sensitive data in puppet

Hi Rob Braden I'm picking up this ticket for Tech Pubs, but need a little more info. Are you the right person to ask for more info about stuff like this: "Not every provider is supported, so we should be clear which those are and under which circumstances data can be leaked"?

Chris Cowell (Jira)

unread,
Jun 3, 2020, 6:30:03 PM6/3/20
to puppe...@googlegroups.com
Chris Cowell commented on Task PUP-9644

Rob Braden another question: does this ticket look like a dup of DOCUMENT-634?

Jean Bond (Jira)

unread,
Jun 3, 2020, 6:32:03 PM6/3/20
to puppe...@googlegroups.com
Jean Bond commented on Task PUP-9644

Chris Cowell, this is definitely an iteration/dupe of DOCUMENT-634.

Chris Cowell (Jira)

unread,
Jun 3, 2020, 6:41:02 PM6/3/20
to puppe...@googlegroups.com
Chris Cowell updated an issue
 
Change By: Chris Cowell
Comment: [~bradejr] another question: does this ticket look like a dup of DOCUMENT-634?

Rob Braden (Jira)

unread,
Jun 3, 2020, 7:13:03 PM6/3/20
to puppe...@googlegroups.com
Rob Braden commented on Task PUP-9644
 
Re: Improve documentation around sensitive data in puppet

Hi Chris, for the moment I'll defer to Melissa Stone but she's only available for a few more days

Melissa Stone (Jira)

unread,
Jun 4, 2020, 1:01:05 PM6/4/20
to puppe...@googlegroups.com
Melissa Stone commented on Task PUP-9644

I'm happy to help, but I have very little information myself and my last day at Puppet is Friday. So, if I can help at all in the next two days, let me know!

The examples provided in https://tickets.puppetlabs.com/browse/DOCUMENT-634 are helpful, and I also found a very thorough write up at https://puppet.com/blog/my-journey-securing-sensitive-data-puppet-code/. Gene Liverman might be a helpful resource too, given his thoughtful writeup and his experience with sensitive data.

Gene Liverman (Jira)

unread,
Jun 4, 2020, 1:56:03 PM6/4/20
to puppe...@googlegroups.com
Gene Liverman commented on Task PUP-9644

Happy to help. Ben Ford also has a lot of good insight into this.

Jean Bond (Jira)

unread,
Jun 26, 2020, 4:15:03 PM6/26/20
to puppe...@googlegroups.com
Jean Bond commented on Task PUP-9644

We just got some user feedback about these docs, so I'm adding the request here for context:

"Add a proper example to use in a class. When you define a var as Sensitive[String], you get the error "parameter 'XXXXX' expects a Sensitive[String] value, got String". When following the docs it is unclear how to properly configure this."

Josh Cooper (Jira)

unread,
Jul 23, 2020, 1:05:03 PM7/23/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
 
Change By: Josh Cooper
Sprint: Coremunity Grooming

William Hurt (Jira)

unread,
Oct 22, 2020, 1:47:03 PM10/22/20
to puppe...@googlegroups.com
William Hurt commented on Task PUP-9644
 
Re: Improve documentation around sensitive data in puppet

Hi, I just want to +1 getting this prioritized for release somewhere with examples from DOCUMET-634 and from Gene's blog post. I am myself trying to figure out how to properly right a module with the Sensitive type in a way that is easy for end users to utilize. In my searching around for how to do this properly it looks to me like our documentation on the Sensitive type is still very very light, and frankly that ticket above and Gene's blog post are the only things I've found so far that the least bit helpful.

Claire Cadman (Jira)

unread,
Mar 17, 2021, 9:54:03 AM3/17/21
to puppe...@googlegroups.com
Claire Cadman assigned an issue to Claire Cadman
 
Change By: Claire Cadman
Assignee: Chris Cowell Claire Cadman
Reply all
Reply to author
Forward
0 new messages