Secrets can be seen in UI Host details ( Hosts -> click on any host for details) -> Ansible -> Inventory

Problem:
i can see passwords, serial numbers by going to UI, any host details UI → Hosts → Ansible → Inventory
Expected outcome:
all parameters that are secret remain secret

Foreman and Proxy versions:
3.3.1

Foreman and Proxy plugin versions:

  • katello-4.5.0-1.el8.noarch
    |foreman-tasks|The goal of this plugin is to unify the way of showing task statuses across the Foreman instance. It defines Task model for keeping the information about the tasks and Lock for assigning the tasks to resources. The locking allows dealing with preventing multiple colliding tasks to be run on the same resource. It also optionally provides Dynflow infrastructure for using it for managing the tasks.|Ivan Nečas|6.0.2|
    |—|—|—|—|
    |foreman_acd|Foreman plugin to provide application centric deployment and self service portal|ATIX AG|0.9.3|
    |foreman_ansible|Ansible integration with Foreman|Daniel Lobato Garcia|7.1.4|
    |foreman_column_view|Displays an additional column in the Foreman Hosts view and/or additional entries in the Host show page|Greg Sutcliffe|0.4.0|
    |foreman_default_hostgroup|Adds the option to specify a default hostgroup for new hosts created from facts/reports|Greg Sutcliffe|6.0.0|
    |foreman_discovery|MaaS Discovery Plugin engine for Foreman|Aditi Puntambekar, alongoldboim, Alon Goldboim, amirfefer, Amit Karsale, Amit Upadhye, Amos Benari, Avi Sharvit, Bryan Kearney, bshuster, Daniel Lobato, Daniel Lobato Garcia, Daniel Lobato García, Danny Smit, David Davis, Djebran Lezzoum, Dominic Cleal, Dominik Matoulek, Eric D. Helms, Ewoud Kohl van Wijngaarden, Frank Wall, Greg Sutcliffe, ChairmanTubeAmp, Ido Kanner, imriz, Imri Zvik, Ivan Nečas, Jan Matusz, John Mazzie, Joseph Mitchell Magen, June Zhang, kgaikwad, Lars Berntzon, ldjebran, Leos Stejskal, Lukas Zapletal, Lukáš Zapletal, Marek Hulan, Marek Hulán, MariaAga, Martin Bačovský, Matt Jarvis, Michael Moll, Nick, odovzhenko, Ohad Levy, Ondrej Prazak, Ondřej Ezr, Ori Rabin, orrabin, Partha Aji, Petr Chalupa, Phirince Philip, Rahul Bajaj, Robert Antoni Buj Gelonch, Ron Lavi, Scubafloyd, Sean O’Keeffe, Sebastian Gräßl, Shimon Shtein, Shlomi Zadok, Stephen Benjamin, Swapnil Abnave, Thomas Gelf, Timo Goebel, Tomas Strych, Tom Caspy, Tomer Brisker, and Yann Cézard|21.0.1|
    |foreman_expire_hosts|A Foreman plugin that allows hosts to expire at a configurable date. Hosts will be shut down and automatically deleted after a grace period.|Nagarjuna Rachaneni and Timo Goebel|7.0.4|
    |foreman_hooks|Plugin engine for Foreman that enables running custom hook scripts on Foreman events|Dominic Cleal|0.3.17|
    |foreman_host_reports|Fast and efficient reporting capabilities|Lukas Zapletal|1.0.2|
    |foreman_ipam|Plugin for IPAM integration with various IPAM providers|Christopher Smith|0.1.0|
    |foreman_monitoring|Foreman plugin for monitoring system integration.|Timo Goebel|2.1.0|
    |foreman_openscap|Foreman plug-in for managing security compliance reports|slukasik@redhat.com|5.2.2|
    |foreman_remote_execution|A plugin bringing remote execution to the Foreman, completing the config management functionality with remote management functionality.|Foreman Remote Execution team|7.1.1|
    |foreman_snapshot_management|Foreman-plugin to manage snapshots in a virtual-hardware environments.|ATIX AG|2.0.1|
    |foreman_statistics|Statistics and Trends for Foreman gives users overview of their infrastructure.|Ondrej Ezr|2.0.1|
    |foreman_templates|Engine to synchronise provisioning templates from GitHub|Greg Sutcliffe|9.3.0|
    |foreman_webhooks|Plugin for Foreman that allows to configure Webhooks.|Timo Goebel|3.0.5|
    |katello|Katello adds Content and Subscription Management to Foreman. For this it relies on Candlepin and Pulp.|N/A|4.5.0|

Distribution and version:

Other relevant data:
I believe this issue comes from ansible plugin
image
when i drill open the _meta, i get to see all secrets we configured (ansible users etc)

I dont even know where to ask, haoppy to provide data etc

Hi,
AFAIK we don’t have feature for filtering inventory items in UI / API.

pinging @nofaralfasi We should add it to our backlog, having setting to filter which inventory items are (not) displayed by default would be useful for users. What do you think?

You’re not the only one asking about this.

I’m thinking about how we could implement it.
Will it be enough to create a user role to determine whether to display the entire inventory tab?
Or do we need to hide only specific values? (I’m not sure how complicated this implementation would be).

Hi Nofaralfasi,
@nofaralfasi Yes, as long as the inventory tab in ansible tab on host edit page can be hidden, it is good.
Just dont know which filter in roles filter we should use? Could you please help with identifying the correct filter to use? Thank you

Hey Tom,

Currently there is no filter for that purpose. We need to implement a new permission for that.
I opened a new issue for it here: Bug #36193: Secrets can be seen in UI Host details - Ansible - Foreman.

1 Like

I will be happy to get a solution. :slight_smile:
To me this is really a security breach.
I saw sensitive information in this tab.

Could you confirm these values come from parameters? Do you have parameters set as hidden value? I’m sure this is not the only place where these values can be seen, e.g. host edit form would reveal the values too. What is the permission set that your users, who shouldn’t see this, typically have? Do they also see the Foreman tasks? Where do you use these sensitive information if not in the ansible inventory? Perhaps provisioning templates? Do your users have access to editting any kind of template?

I think it would be great to hide the values in the inventory preview in case the parameter is defined as hidden. However if the user has access to the host object via view_hosts permission, I’d say they should be able to see all related information. The inherited parameters though need to be in the real inventory in the plain form. At the end, users could run ansible playbook that would just store the inventory content somewhere where they could read it.