Ask Your Question

Issue with handling sensitive data (passwords) using Puppet and Hiera-Eyaml.

asked 2017-05-10 10:38:11 -0600

loureiro gravatar image

Hi guys,

I am testing Hiera-Eyaml for encrypting the passwords for the users in our Cassandra databases.
Encrypting the passwords in the eyaml files and passing the Hiera data to the testing nodes works fine.

My module runs an exec statement, that basically performs an "alter user <user> with password <password>" in Cassandra, <password> being the Eyaml encrypted string being passed from Hiera.

Problem arises when I run a "puppet agent -t --debug" from the agent nodes, as it shows the passwords in plain text... is there any way of preventing this master-side? I read about the show_diff metaparameter but it only applies to file resources.


edit retag flag offensive close merge delete



This module might do what you are trying to do: Take a look at how they implement a "secret" tag in their resource type. keystone_config { 'DEFAULT/admin_token': value => $admin_token, secret => true;

Red Cricket gravatar imageRed Cricket ( 2017-05-11 02:19:25 -0600 )edit

That module is passing the value into a custom type/provider. The problem is that the OP is trying to only use an 'exec' resource, which is shown during debugging. There are no parameters to suppress exec output

DarylW gravatar imageDarylW ( 2017-05-11 07:53:28 -0600 )edit

However, one potential way to work 'around' this if you don't want the complexity of a type/provider is to create a script on disk that contains the command, and run that with the exec. However, you then have a file on disk with the plaintext password in it. (can be root/root/400, but still)

DarylW gravatar imageDarylW ( 2017-05-11 07:54:28 -0600 )edit

Also, which module are you using for Cassandra?

DarylW gravatar imageDarylW ( 2017-05-11 07:55:54 -0600 )edit

Yeah, generating a script on disk with the password in plain text, could work in some situations but well, definitely not the best workaround possible. I'm using this module from Puppet Forge, with some modifications to the cassandra::schema::user.pp manifest:

loureiro gravatar imageloureiro ( 2017-05-12 04:33:24 -0600 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2018-09-06 20:56:37 -0600

Romiko gravatar image


You can remove it from reports etc:

$secret = Sensitive('myPassword')

edit flag offensive delete link more


Awesome, is this new, or has this been around for a while?

DarylW gravatar imageDarylW ( 2018-09-06 23:23:19 -0600 )edit - ah, it is a 'data type', not a function! I haven't used puppet newer than 3.x

DarylW gravatar imageDarylW ( 2018-09-07 08:24:07 -0600 )edit

answered 2017-05-15 03:57:12 -0600

loureiro gravatar image

Is there any way of preventing a exec statement from outputing stuff in plain text?

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2017-05-10 10:38:11 -0600

Seen: 825 times

Last updated: Sep 06