Passwords visible in parameters of deployed VM

Hey, we’re using foreman. and when user deploys a VM, they can go to parameters and where we use passwords there are hidden fields: ‘****’. But the user can click the pencil to edit and this will reveal the password. Please refer to screenshot

Expected outcome:
parameters (especially) passwords should only be allowed to be overridden and never be revealed.
This is how it is done elsewhere in Foreman.

Foreman and Proxy versions:

this is the issue: deploy VM, navigate to parameters and reveal passwords with pencil icon

this is the expected behaviour (like in rest of foreman):
parameters cannot be viewed, they can only be ovverridden. example Create Host → parameters

@nofaralfasi Hey,
not sure if they are related, but I guess this is even worse than the ansible problem as this is affecting all users (including those that do not use ansible)

Hello Kalli,

The user can access hidden values only when they possess edit permissions. If the user lacks the ability to edit parameter values and is limited to viewing them, they won’t have access to hidden parameter values.

Thank you so much for getting back.
thanks for info - we will be extra careful with permissions on this

still- I believe it would be a huge improvement from security perspectice if it were done the same way as when deploying a machine. Permission holder can overwrite, but never view the original password.
it would make the product also more consistent (i think this is the workign everywhere else (parameter config for hostgroups, etc where even the admin cannot see them, only overwrite)

would you consider this improvement request? feature request?

thank you so much!

1 Like

Given that we store the parameter values as they are in the database (not encrypted), even with the suggested implementation, users may still find alternative ways to retrieve these values. To address this, a fundamental change in how we store these values is required. While you can open a RFE for this, it’s important to note that this is a significant change, and we cannot guarantee when or if it will be prioritized for implementation.