Issue #11031 has been updated by Nigel Kersten.
Daniel Pittman wrote: > I see your point. I am very concerned that we would give a false impression > to users who saw this data cleaned up in one case, but then found out that > their own use of private data was not equivalently fixed; that creates a > complex and invisible mental model that I fear would lead people astray. You're arguing that the *absence* of a particular part of EC2 metadata in Facter will lead to people thinking that their own _facts_ will get automatically sanitized? One is a data source that facts are generated from. The other is data that users have chosen to be displayed as facts. The intention is completely different. In the first case the user is required to put this data into EC2 metadata to make cloud-init work. The user has expressed no intention for this to be in Facter. In the second case the user has expressly intended to make certain data available in Facter. These are not equivalent. ---------------------------------------- Bug #11031: capturing ec2 userdata as a fact may be a security risk https://projects.puppetlabs.com/issues/11031 Author: Dan Bode Status: Investigating Priority: Normal Assignee: Adrien Thebo Category: Target version: 1.6.x Keywords: Branch: Affected Facter version: When cloud-init is used for bootstrapping nodes, a script contained in the userdata is often passed to the node to perform bootstrapping. In the case of cloud formation, this script often contains IAM credentials (access code/secret code) that are used to call cfn-init. In my integration of PE with cloudformation, I can see the AWS credentials in the inventory service when running b/c they are captured as a part of the ec2 metadata. This is not that big of a deal for my use case b/c the credentials only refer to a temporary account that only has the permissions to read metadata from cloudformation instances. In general, I have concerns over rather capturing userdata with facter may potentially (and unexpectedly) expose a user's credentials in some cases. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
