Manage resources leaks API password in resource types

[Bouke]

Currently the way zabbix_host is configured, it will inject $zabbix_api_pass into the resource with the property name zabbix_pass. This results in a password leak when puppet reports / resources can be inspected by third parties. At our setup, we run puppetboard without authentication. Other packages don't put clear text passwords in reports and resources, so this setup mostly works for us.

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 4.10.4
• Ruby: ?
• Distribution: Ubuntu 16.04
• Module version: 4.1.3

How to reproduce (e.g Puppet code you use)

What are you seeing

When running the following PQL, the result includes the API credentials:

resources { type = "Zabbix_host" }

What behaviour did you expect instead

No passwords being logged.

Any additional information you'd like to impart

Other modules (e.g. puppetlabs/mongodb) write the credentials to a file (~/.mongorc.js). This way, there's no need to communicate the credentials through the resources.

[juniorsysadmin]

An alternative might be to use the Sensitive Data type: https://docs.puppet.com/puppet/4.6/lang_data_sensitive.html

[juniorsysadmin]

ccing @roidelapluie for comment

[roidelapluie]

Yes ; immediately we should use sensitive data type and in next major release switch to auth file.