Ask Your Question
1

How do I exclude file content from PuppetDB?

asked 2014-07-21 15:19:32 -0500

Christian Berg gravatar image

I recently realized that the entire content of file resources is stored in PuppetDB, if the "content" attribute of the file type is used (most likely because the content is generated from an ERB template).

I generally don't wish for file content to be stored in PuppetDB, since config files may contains sensitive information such as passwords.

Is there a way to exclude the content attribute of all file resources from being sent to PuppetDB? Or to suppress some resources from being stored altogether?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2014-07-22 05:06:43 -0500

The short answer is, you can't. The long answer is, you could with your own terminus modifications, but this would require coding knowledge.

The problem in fact is even deeper than you describe and could potentially affect any parameters, not just content. In fact there a probably a lot of cases where the file content might not be private at all, but perhaps some parameter in a resource is actually private. The user resource has a perfect example of this, and so does some resources like mysql, which might allow cleartext if the user so chooses.

This is why we do things like, only allow client based SSL auth to work, and why we provide functionality such as the certificate whitelist (to only allow certain boxes to talk to PuppetDB). So at the very least you can lock down the service to only trusted sources.

In regards to tickets, we do have some users who have requested the ability to control the ACL's so that users have fine grained access to their data ( https://tickets.puppetlabs.com/browse... ) but we lack a ticket that covers filtering information before it gets into PuppetDB. I think if you wanted to raise one that would be a good idea.

If this is something urgent, then you could always modify the terminus code yourself: https://github.com/puppetlabs/puppetd... and force the fields you want to be removed before submission. Making a proper patch that is merge-worthy however would require a bit of work.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2014-07-21 15:19:32 -0500

Seen: 567 times

Last updated: Jul 22 '14