Problem:
We’ve found that while using smart class variables, a user that does not have access to view the key/pair values in the foreman UI. Can view the plain text version of the ‘secrets’ without any sort of authentication viewing the nodes yaml file using the foreman UI.
example if I, as an admin, log into our foremen UI and create a smart class parameter, apply that parameter to a class and a node.
Someone without any sort foreman role or even login can not view the UI.
https://<our_foreman_host>/variable_lookup_keys
returns to the login authentication page.
but that same person can access a node that has that puppet class and see the plain text results of the smart class parameter secret, even if its hidden, just by accessing the node yaml
https://<our_foreman_host>/hosts/<example_node>/externalNodes?name=<example_node>
Expected outcome:
the yaml should not be available to view the smart class secrets without authentication.
Foreman and Proxy versions:
Version 1.15.3
Other relevant data:
node yaml example
---
classes:
test_erb:
parameters:
puppetmaster: ''
domainname: ----
organization: General
organization_title: General
root_pw:
foreman_env: dev_erb_test
owner_name: ----
owner_email: ----
ssh_authorized_keys: []
foreman_users:
admin:
firstname: ----
lastname: -----
mail: -----
description: ''
fullname: ----
name: ----
ssh_authorized_keys: []
foreman_subnets: []
foreman_interfaces:
- ip:
ip6:
mac:
name: <example_node>
attrs: {}
virtual: false
link: true
identifier: ethernet0 2
managed: true
primary: true
provision: true
subnet:
subnet6:
tag:
attached_to:
type: Interface
foreman_config_groups: []
**param_erb_test: test123**
environment: dev_erb_test