Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bolt logs sensitive data by default in certain contexts #3217

Closed
Ziaunys opened this issue Jul 11, 2023 · 2 comments
Closed

Bolt logs sensitive data by default in certain contexts #3217

Ziaunys opened this issue Jul 11, 2023 · 2 comments
Labels
Bug Bug reports and fixes.

Comments

@Ziaunys
Copy link
Contributor

Ziaunys commented Jul 11, 2023
edited
Loading

Describe the Bug

With the default logging configuration, Bolt logs sensitive parameters of a class that is applied during a Puppet apply block when running a plan.

Expected Behavior

I don't think sensitive data should be logged period, but I would settle for not logging any by default. Additionally, I would not overload the log level to indicate when sensitive data is logged because it seems like an unexpected side effect. Perhaps we there could be a separate setting to determine if sensitive data should be logged.

Steps to Reproduce

Steps to reproduce the behavior:

  1. Create a class that looks like this:
class my_module::sensitive_test (Sensitive[String[1]] $password, Hash[String[1], Sensitive[String[1]]] $secret_hash) {
  notify { 'This class has a sensitive parameter': }
}
  1. Declare this class in a Bolt plan:
plan my_module::sensitive_param_test() {
  apply('test_target', '_run_as' => 'root') {
    class { 'my_module::sensitive_test':
      password    => Sensitive('this_is_a_secret'),
      secret_hash => { 'secret_key' => Sensitive('secret_value') },
    }
  }
}
  1. Run the bolt plan.
  2. Check the bolt-debug.log to see the sensitive params logged. You should see a log line like the following
2023-07-11T16:03:57.367699 INFO   [apply-worker-1] [Bolt::Executor] {"tags":["settings","my_module::sensitive_test","my_module","sensitive_test","class"],"name":"zounese-dev-madding-larvae","version":1689116637,"code_id":null,"catalog_uuid":"1b8edb44-e6fa-4a88-bb8c-75cb4a75b9dc","catalog_format":2,"environment":"bolt_catalog",
"resources":[{"type":"Stage","title":"main","tags":["stage"],"exported":false,"kind":"compilable_type","parameters":{"name":"main"}},{"type":"Class","title":"Settings","tags":["class","settings"],"exported":false,"kind":"unknown"},{"type":"Class","title":"main","tags":["class"],"exported":false,"kind":"unknown","parameters":{"name":"main"}},
{"type":"Class","title":"My_module::Sensitive_test","tags":["class","my_module::sensitive_test","my_module","sensitive_test"],"file":"/home/zounese/IdeaProjects/PipelinesInfra/deploy/envs/dev/.modules/my_module/plans/sensitive_param_test.pp","line":32,"exported":false,"kind":"class","parameters":{"password":"this_is_a_secret","secret_hash":{"secret_key":{"__ptype":"Sensitive","__pvalue":"secret_value"}}},"sensitive_parameters":["password"]},{"type":"Notify","title":"This class has a sensitive parameter","tags":["notify","class","my_module::sensitive_test","my_module","component","sensitive_test"],"file":"/home/zounese/IdeaProjects/PipelinesInfra/deploy/env
s/dev/.modules/my_module/manifests/sensitive_test.pp","line":2,"exported":false,"kind":"compilable_type"}],"edges":[{"source":"Stage[main]","target":"Class[Settings]"},{"source":"Stage[main]","target":"Class[main]"},{"source":"Stage[main]","target":"Class[My_module::Sensitive_test]"},{"source":"Class[My_module::Sensitive_
test]","target":"Notify[This class has a sensitive parameter]"}],"classes":["settings","my_module::sensitive_test"]}

Note that both sensitive parameters of the class are logged at INFO level.

Environment

  • Version: 3.26.1
  • Platform: Ubuntu 20.04
@Ziaunys Ziaunys added the Bug Bug reports and fixes. label Jul 11, 2023
@Ziaunys Ziaunys changed the title Bolt log sensitive data by default in certain contexts Bolt logs sensitive data by default in certain contexts Jul 12, 2023
donoghuc added a commit to donoghuc/bolt that referenced this issue Aug 10, 2023
@donoghuc
(puppetlabsGH-3217) Only log compiled catalogs at trace level
230d8e7 
Previously compiled catalogs would be logged per target at INFO level. This clogs up logs and can expose Sensitive data in catalogs. This commit moves logging of compiled catalogs to the TRACE log level only.

!bug

* **Only log compiled catalogs at trace level**
  ([puppetlabs#3217](puppetlabs#3217))

  Previously compiled catalogs would be logged per target at INFO level. This clogs up
  logs and can expose Sensitive data in catalogs. This commit moves logging of
  compiled catalogs to the TRACE log level only.
@donoghuc
Copy link
Contributor

donoghuc commented Aug 10, 2023
edited
Loading

@Ziaunys I think this will be pretty straight forward. I propose we only log this at trace level, this should ensure that you will not have to override the default logs to keep catalogs out of the log files. #3222

donoghuc added a commit that referenced this issue Aug 11, 2023
@donoghuc
Merge pull request #3222 from donoghuc/GH-3217
1a1166e 
(GH-3217) Only log compiled catalogs at trace level
@donoghuc
Copy link
Contributor

Shipped in 3.27.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Bug reports and fixes.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Ziaunys @donoghuc