Bug #1566
No log diffing (encrypted root in log problem)
| Status: | Closed | Start date: | 09/08/2008 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  James Turnbull |
% Done: | 0% |
|
| Category: | transactions | |||
| Target version: | 0.24.6 | |||
| Affected Puppet version: | 0.24.4 | Branch: | ||
| Keywords: | ||||
| Votes: | 0 |
Description
Right now some of the root password changing bits shows up in the logs which we aren’t comfortable with, just that lots of people have access to our logs but shouldn’t have access to the encrypted root password.
I was wondering if it would be useful to do something like:
logdiff => false
Defaulting to true it would behave exactly as it does now. If its false though the change will still show up in the logs that something changed but won’t show you explicitly what. If this is a dupe please close.
History
Updated by James Turnbull over 3 years ago
- Category changed from unknown to transactions
- Status changed from Unreviewed to Needs More Information
Can you explain what in the logs you want to restrict and maybe the logs and manifests you are using?
Updated by Mike McGrath over 3 years ago
In my case of passwords (including root) I’ve got:
class my_user {
include ruby-shadow-package
user { 'myUser':
ensure => present,
name => 'myUser',
password => '$6$NotRealSalt$NotEncryptedPassword'
}
When it creates this user the logs show:
Sep 11 13:56:40 app3 puppetd[25643]: (//Node[app3]/root_user/User[myUser]/ensure) created
Thats fine, but when I change it I get:
Sep 11 13:57:56 app3 puppetd[26545]: (//Node[app3]/root_user/User[root1]/password) password changed ‘$1$OldSalt$OldCryptedPass’ to ‘$6$NotRealSalt$NotEncryptedPassword’
and that stays in the logs which is something blocking us from using that feature to manage our root passwords.
Updated by James Turnbull over 3 years ago
- Status changed from Needs More Information to Accepted
- Assignee set to Luke Kanies
- Target version set to 4
I am afraid – unless Luke leaps in and says otherwise – that this isn’t an easy fix. All property changes echo as entries …. any idea Luke (I am presuming this comes out of lib/puppet/property.rb)?
Updated by Luke Kanies over 3 years ago
- Assignee changed from Luke Kanies to Puppet Community
- 3 changed from Unknown to Easy
This should actually be pretty easy to do — there’s a ‘change_to_s’ hook you can set in the ‘password’ property.
Search for that method in other types to get an idea of how it’s used; it’s pretty simple.
Updated by James Turnbull over 3 years ago
- Status changed from Accepted to Needs Decision
- Assignee changed from Puppet Community to Luke Kanies
- Target version changed from 4 to 0.24.6
Okay. I’ve patched and sent to the dev-list. Will await comment.
Updated by Luke Kanies over 3 years ago
- Status changed from Needs Decision to Accepted
- Assignee changed from Luke Kanies to James Turnbull
Updated by James Turnbull over 3 years ago
- Status changed from Accepted to Closed
Pushed in commit:8f1336f94e4f566e229efb64be168530e402741b in branch 0.24.x