Skip to content

Use Sensitive data type for passwords

Patrick Brideau requested to merge (removed):feat/sensitive_password into master

Currently, the master password of the whole infrastructure is displayed in the logs when the install exec fail:

Error: '/usr/sbin/ipa-client-install [...] --password='myverysecurepassword' [...]

Obviously, it is not a very secure way to display sensitive informations. This patch store the password into an environment variable, at least the password is not displayed in the logs when the exec fail:

Error: '/usr/sbin/ipa-client-install [...] --password="$PASSWORD_USEDTO_JOINDOMAIN" [...]

I’ve also added support to provide the password as Sensitive type, which exists in puppet 6 and puppet 7. Not supported on Puppet 5 (which is claimed to be supported in metadata.json) but is EOL. I’ve adjusted the metadata.json. Also added tests about this feature.

Any feedback is welcome!

Edited by Fabien Combernous

Merge request reports

Loading