Project

Profile

Help

Issue #3521

closed

last_override_config exposes sensitive info

Added by rmcgover over 6 years ago. Updated over 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.16.2
OS:
Triaged:
Yes
Groomed:
Yes
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Sprint 38
Quarter:

Description

Importers and distributors have a "last_override_config" object which is exposed via the API.

In several cases, secrets are passed into override_config when triggering a task. For example, in yum importer there's ssl_client_key and in docker importer there's basic_auth_password. If these config items are given, they're stored in last_override_config and then become readable to all users with read access on the distributor/importer.

This makes usage of those config items quite dangerous as one can't pass these secrets into the API for a sync without also considering which users have read access on the objects, and whether it's OK to expose the secret to those users. Or more likely, one would fail to consider this, and thus would build tools/workflows which expose the secrets without realizing it.

That latter scenario is exactly what I'm faced with now, because it has always been established procedure that our Pulp installations internally have widely shared read-only accounts, allowing everyone to freely data mine / build applications on top of our Pulp without administrative hassle. Due to realization of this issue, that's now under threat and we may be forced to make the system less convenient.

Solution:
- Keep the secrets in the DB but don't render them in the API


Related issues

Related to Pulp - Issue #4083: Non-sensitive information is not being displayed for last_override_configCLOSED - WONTFIXActions

Also available in: Atom PDF