Plugins: Ability to flag sensitive data
I'll use an artificial example to explain the issue, but realize there are already legitimate use cases for this.Let's say an importer needs a username/password to access an external source. As of right now, there are two issues:* The importer configuration values are stored in plain text in the database.* The importer configuration is displayed, in its entirety, when using the built in ""pulp-admin repo list --details"" command.I think the solution is to add a new attribute to the plugin metadata section that lets the plugin tell Pulp the names of configuration values that contain sensitive data. That can cause Pulp to do the following:* Encrypt in some fashion that portion of the configuration when persisting to the database.* Decrypt those fields when retrieving the configuration only when it is going to be used by the plugin.* By comparison, when returning data about a repo's plugins, the field is returned encrypted.* Optionally, the built in extensions can detect which fields are encrypted and display a message to the user informing them that the value is present but hidden.I haven't thought through this solution 100% yet, but it's a start.
#3 Updated by bmbouter about 2 years ago
Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.
Please register to edit this issue