Skip to content

fix: hide passwords when applying states #269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: hide passwords when applying states #269

wants to merge 1 commit into from

Conversation

@an0nz
Copy link

@an0nz an0nz commented Aug 1, 2022

PR progress checklist (to be filled in by reviewers)

  • Changes to documentation are appropriate (or tick if not required)
  • Changes to tests are appropriate (or tick if not required)
  • Reviews completed

What type of PR is this?

Primary type

  • [build] Changes related to the build system
  • [chore] Changes to the build process or auxiliary tools and libraries such as documentation generation
  • [ci] Changes to the continuous integration configuration
  • [feat] A new feature
  • [fix] A bug fix
  • [perf] A code change that improves performance
  • [refactor] A code change that neither fixes a bug nor adds a feature
  • [revert] A change used to revert a previous commit
  • [style] Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc.)

Secondary type

  • [docs] Documentation changes
  • [test] Adding missing or correcting existing tests

Does this PR introduce a BREAKING CHANGE?

No.

Related issues and/or pull requests

#258
#75

Describe the changes you're proposing

Use environment variables and output_loglevel values to ensure passwords are not displayed during state runs or in log files for relevant cmd.run states

This is not perfect as the rendered YAML for the state in debug logs will still show the password, but it hides it from the standard output.

Pillar / config required to test the proposed changes

None, existing tests will be fine

Debug log showing how the proposed changes work

Running state [mysql -u root -hlocalhost -p$SALT_PASS smp < /etc/mysql/smp.schema] at time 22:56:03.198010
Executing state cmd.run for [mysql -u root -hlocalhost -p$SALT_PASS db < /etc/mysql/db.schema]
{'pid': 12967, 'retcode': 0, 'stdout': '', 'stderr': ''}
Completed state [mysql -u root -hlocalhost -p$SALT_PASS db < /etc/mysql/db.schema] at time 22:56:03.238271 (duration_in_ms=40.26)
LazyLoaded mysql_user.present


ID: mysql_db_0_load
Function: cmd.run
Name: mysql -u root -hlocalhost -p$SALT_PASS db < /etc/mysql/db.schema
Result: True
Comment: Command "mysql -u root -hlocalhost -p$SALT_PASS db < /etc/mysql/db.schema" run
Started: 22:56:03.198011
Duration: 40.26 ms
Changes:   
----------
pid:
  12967
retcode:
  0
stderr:
stdout:

Documentation checklist

  • Updated the README (e.g. Available states).
  • Updated pillar.example.

Testing checklist

  • Included in Kitchen (i.e. under state_top).
  • Covered by new/existing tests (e.g. InSpec, Serverspec, etc.).
  • Updated the relevant test pillar.

Additional context

Have been running a production environment with these changes for over a year without issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@an0nz @tbryant-vygr