From b1cbf7c9dd33c4327efb6058a3e9c92cc2051422 Mon Sep 17 00:00:00 2001 From: John Mulligan Date: Sat, 6 Jul 2024 14:00:29 -0400 Subject: [PATCH] mgr/smb: filter out password fields in sqlite store Currently, all of ceph orchestration stores sensitive data in the mon config-key store. Keep doing that by eliding passwords in the sqlite store but retaining them in the mon based store. Perhaps, in the future we can even use a 'vault' type store for even better sensitive info retention. Signed-off-by: John Mulligan --- src/pybind/mgr/smb/sqlite_store.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/pybind/mgr/smb/sqlite_store.py b/src/pybind/mgr/smb/sqlite_store.py index 501bb9128eb..23efbd894ca 100644 --- a/src/pybind/mgr/smb/sqlite_store.py +++ b/src/pybind/mgr/smb/sqlite_store.py @@ -479,6 +479,13 @@ class MirrorJoinAuths(Mirror): def __init__(self, store: ConfigStore) -> None: super().__init__('join_auths', store) + def filter_object(self, obj: Simplified) -> Simplified: + """Filter join auth data for sqlite3 store.""" + filtered = copy.deepcopy(obj) + if 'auth' in filtered: + filtered['auth'].pop('password', None) + return filtered + class MirrorUsersAndGroups(Mirror): """Mirroring configuration for objects in the users_and_groups namespace.""" @@ -486,6 +493,16 @@ class MirrorUsersAndGroups(Mirror): def __init__(self, store: ConfigStore) -> None: super().__init__('users_and_groups', store) + def filter_object(self, obj: Simplified) -> Simplified: + """Filter join users and groups data for sqlite3 store.""" + filtered = copy.deepcopy(obj) + for user in filtered.get('values', {}).get('users', []): + # retain the key, to have the capability of knowing it was part of + # this row, but remove the value from this object + if 'password' in user: + user['password'] = '' + return filtered + def _tables( *, -- 2.39.5