Jira (PUP-10950) unless should support sensitive data for any type

18 views
Skip to first unread message

Sheena Tharakanparampil (Jira)

unread,
Mar 4, 2021, 1:16:03 PM3/4/21
to puppe...@googlegroups.com
Sheena Tharakanparampil created an issue
 
Puppet / Bug PUP-10950
unless should support sensitive data for any type
Issue Type: Bug Bug
Assignee: Unassigned
Created: 2021/03/04 10:15 AM
Priority: Normal Normal
Reporter: Sheena Tharakanparampil

Puppet Version:6.22.0 (was able to reproduce the problem on puppetagent6-nightly and puppetagent7-nightly)
OS Name/Version:Ubuntu 18.04 (*on all OSes)*

Sensitive masking is not implemented in core puppet at the points where the module needs it:

Using 'Sensitive' in 'unless' throws the following error

Steps to reproduce the problem

Install the latest version of postgresql module (v6.10.2 and above) which we uses sensitive for security fixes.

puppet module install puppetlabs-postgresql --version 7.0.0

Apply the following manifest

 

test.pp
 
class { 'postgresql::server': }
 
 postgresql::server::role { testuser:
 
 password_hash => postgresql::postgresql_password('testuser', 'testpw'),
 
 }
 
 
 
puppet apply test.pp
 
Notice: Compiled catalog for oval-secrecy.delivery.puppetlabs.net in environment production in 0.37 seconds
 
Warning: /Postgresql_psql[ALTER ROLE testuser ENCRYPTED PASSWORD ****]: Unable to mark 'unless' as sensitive: unless is a parameter and not a property, and cannot be automatically redacted.
 
Notice: /Stage[main]/Main/Postgresql::Server::Role[testuser]/Postgresql_psql[CREATE ROLE testuser ENCRYPTED PASSWORD ****]/command: changed [redacted] to [redacted]
 
Notice: Applied catalog in 1.01 seconds
 
root@oval-secrecy:~#

 

Desired Behavior:

unless should support sensitive data

Actual Behavior:

Throws the below error on unless 

Unable to mark 'unless' as sensitive: unless is a parameter and not a property, and cannot be automatically redacted.

Found similar tickets for exec type

https://tickets.puppetlabs.com/browse/PUP-8399

Please let us know if you need more information.

 
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

Sheena Tharakanparampil (Jira)

unread,
Mar 4, 2021, 1:17:02 PM3/4/21
to puppe...@googlegroups.com
Sheena Tharakanparampil updated an issue
Change By: Sheena Tharakanparampil
*Puppet Version:6.22.0* (was able to reproduce the problem on puppetagent6 puppet6 -nightly and puppetagent7 puppet7 -nightly)
*OS Name/Version:Ubuntu 18.04 (*on all OSes*)*

*Sensitive masking is not implemented in core puppet at the points where the module needs it:*


Using 'Sensitive' in 'unless' throws the following error
{code:java}
Unable to mark 'unless' as sensitive: unless is a parameter and not a property, and cannot be automatically redacted.{code}
 *Steps to reproduce the problem*


Install the latest version of postgresql module (v6.10.2 and above) which we uses sensitive for security fixes.

puppet module install puppetlabs-postgresql --version 7.0.0

Apply the following manifest

 
{code:java}
test.pp
class { 'postgresql::server': }
postgresql::server::role { testuser:
password_hash => postgresql::postgresql_password('testuser', 'testpw'),
}
 
puppet apply test.pp
Notice: Compiled catalog for oval-secrecy.delivery.puppetlabs.net in environment production in 0.37 seconds
Warning: /Postgresql_psql[ALTER ROLE testuser ENCRYPTED PASSWORD ****]: Unable to mark 'unless' as sensitive: unless is a parameter and not a property, and cannot be automatically redacted.
Notice: /Stage[main]/Main/Postgresql::Server::Role[testuser]/Postgresql_psql[CREATE ROLE testuser ENCRYPTED PASSWORD ****]/command: changed [redacted] to [redacted]
Notice: Applied catalog in 1.01 seconds
root@oval-secrecy:~#
{code}
 

*Desired Behavior:*


unless should support sensitive data

*Actual Behavior:*


Throws the below error on unless 

*Unable to mark 'unless' as sensitive: unless is a parameter and not a property, and cannot be automatically redacted.*


Found similar tickets for exec type

https://tickets.puppetlabs.com/browse/PUP-8399

Please let us know if you need more information.

 

David Schmitt (Jira)

unread,
Mar 5, 2021, 8:38:01 AM3/5/21
to puppe...@googlegroups.com
David Schmitt commented on Bug PUP-10950
 
Re: unless should support sensitive data for any type

This issue is affecting customers deploying the recent security-related postgresql release (see https://github.com/puppetlabs/puppetlabs-postgresql/pull/1249 for details).

Kenyon Ralph (Jira)

unread,
Mar 7, 2021, 2:01:03 PM3/7/21
to puppe...@googlegroups.com
Kenyon Ralph updated an issue
 
Change By: Kenyon Ralph
*Puppet Version:6.22.0* (was able to reproduce the problem on puppet6-nightly and puppet7-nightly)

*OS Name/Version:Ubuntu 18.04 (*on all OSes*)*

*Sensitive masking is not implemented in core puppet at the points where the module needs it:*

Using 'Sensitive' in 'unless' throws the following error
{code:java}
Unable to mark 'unless' as sensitive: unless is a parameter and not a property, and cannot be automatically redacted.{code}
*Steps to reproduce the problem*

Install the latest version of postgresql module (v6.10.2 and above) which we uses sensitive for security fixes.

puppet module install puppetlabs-postgresql --version 7.0.0

Apply the following manifest

 
{code:java}test.pp
class { 'postgresql::server': }
postgresql::server::role { testuser:
password_hash => postgresql::postgresql_password('testuser', 'testpw'),
}
 
puppet apply test.pp
Notice: Compiled catalog for oval-secrecy.delivery.puppetlabs.net in environment production in 0.37 seconds
Warning: /Postgresql_psql[ALTER ROLE testuser ENCRYPTED PASSWORD ****]: Unable to mark 'unless' as sensitive: unless is a parameter and not a property, and cannot be automatically redacted.
Notice: /Stage[main]/Main/Postgresql::Server::Role[testuser]/Postgresql_psql[CREATE ROLE testuser ENCRYPTED PASSWORD ****]/command: changed [redacted] to [redacted]
Notice: Applied catalog in 1.01 seconds
root@oval-secrecy:~#
{code}
 

*Desired Behavior:*

unless should support sensitive data

*Actual Behavior:*

Throws the below error on unless 

*Unable to mark 'unless' as sensitive: unless is a parameter and not a property, and cannot be automatically redacted.*

Found similar tickets for exec type


https : //tickets.puppetlabs.com/browse/ PUP-8399


Please let us know if you need more information.

 

Josh Cooper (Jira)

unread,
Mar 8, 2021, 1:02:02 PM3/8/21
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10950
 
Re: unless should support sensitive data for any type

Hi Sheena Tharakanparampil, puppet will automatically redact sensitive properties, because there are well-defined methods for printing the current state (is_to_s) and desired state (should_to_s), and those methods will redact sensitive properties automatically. However, puppet doesn't know how parameters will be handled in a custom type/provider. If a Sensitive value is passed to a parameter and the parameter hasn't explicitly said it accept sensitive values, then we err on the side of caution and raise an error.

The recommended way of fixing this is to override the set_sensitive_parameters method and mark the parameter as sensitive. It's the module's way of saying "I'm taking ownership of this sensitive data". For example: https://github.com/puppetlabs/puppet/commit/abd866a648a32d3895011d25af5d4b3d994669c8#diff-7b346a4c9ed8ffeefe92b019c36ca30c8e3cf1cbfef09fc45485df64075adcc0R607-R614

Alternatively, call the sensitive DSL method like the user's password logonpassword parameter: https://github.com/puppetlabs/puppet/blob/12401c3af42cfbae41b48621f5b42336db1ace1d/lib/puppet/type/service.rb#L180. This option requires puppet 6 or greater that supports the sensitive DSL method. Trying to use that on older puppet versions will prevent the type from loading. We ran into that in the yumrepo_core module and had to go back to the older way of defining sensitive parameters https://github.com/puppetlabs/puppetlabs-yumrepo_core/pull/6

The issue can also be avoided by changing the parameter to a property.

Sheena Tharakanparampil (Jira)

unread,
Mar 9, 2021, 12:54:03 PM3/9/21
to puppe...@googlegroups.com

Josh Cooper Thanks alot for the detailed information with examples.Much appreciated.

Will incorporate the changes. Thank you.

Sheena Tharakanparampil (Jira)

unread,
Mar 11, 2021, 4:03:06 AM3/11/21
to puppe...@googlegroups.com

Made changes to the module https://github.com/puppetlabs/puppetlabs-postgresql/pull/1258

Also raised a feature ticket to declare parameters and properties as sensitive without the set_sensitive_parmeters

https://tickets.puppetlabs.com/browse/PUP-10961

Thanks alot for all the help.

Josh Cooper (Jira)

unread,
Mar 11, 2021, 1:56:01 PM3/11/21
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10950

Thanks for filing 10961 Sheena Tharakanparampil, I'm going to close this ticket.

Sheena Tharakanparampil (Jira)

unread,
Mar 15, 2021, 10:38:03 AM3/15/21
to puppe...@googlegroups.com

root@lowly-immodesty:~# puppet apply 1.pp
 
Notice: Compiled catalog for lowly-immodesty.delivery.puppetlabs.net in environment production in 0.46 seconds
 
Notice: /Stage[main]/Postgresql::Server::Install/Package[postgresql-server]/ensure: created
 
Notice: /Stage[main]/Postgresql::Server::Config/Concat[/etc/postgresql/10/main/pg_hba.conf]/File[/etc/postgresql/10/main/pg_hba.conf]/content: content changed '{md5}81569154287d27391779c82d1fb32b89' to '{md5}85cf7197535eff9999ba5de8665bb53e'
 
Notice: /Stage[main]/Postgresql::Server::Config/Concat[/etc/postgresql/10/main/pg_ident.conf]/File[/etc/postgresql/10/main/pg_ident.conf]/content: content changed '{md5}f11c8332d3f444148c0b8ee83ec5fc6d' to '{md5}9300ac105fe777787ac9e793b8df8d25'
 
Notice: /Stage[main]/Main/Postgresql::Server::Role[testuser]/Postgresql_psql[CREATE ROLE testuser ENCRYPTED PASSWORD ****]/command: changed [redacted] to [redacted]
 
Notice: /Stage[main]/Postgresql::Server::Reload/Exec[postgresql_reload]: Triggered 'refresh' from 1 event
 
Notice: Applied catalog in 25.35 seconds
 
root@lowly-immodesty:~#

Reply all
Reply to author
Forward
0 new messages