search

mdb / concourse-consul-kv-resource

A Concourse resource for getting and setting values to and from Consul's KV store
4 stars 3 forks source link

the value is printed while doing a "get" #13

Open hriprsd opened 3 years ago

hriprsd commented 3 years ago

When I try to get a value from consul, the entire value is printed in the pipeline. i.e anyone can view it from the concourse-ui Sample pipeline:

resources:

jobs:

UI Output: image

This enables anyone (even without access to consul) can view the KV stored in the concourse ui

mdb commented 3 years ago

@hriprsd I believe this is a duplicate of issue #12, which I don't believe is a valid issue.

This enables anyone (even without access to consul) can view the KV stored in the concourse ui

☝️ Regarding this point, I believe this is not entirely accurate, IIUC. I believe it's more accurate to say this allows anyone with an RBAC role that grants them viewing access to view the K/V via the Concourse UI. Furthermore, this is also true of any other Concourse resource whose metadata is surfaced to Concourse.

As I asked in issue #12 ...

Are you suggesting that concourse-consul-kv-resource prints the values of the Consul k/v pairs it tracks? If so, that is expected, no? If the k/v pairs are secrets, I would think they should be stored in a proper secrets manager, such as Vault and not fetched directly via the concourse-consul-kv-resource. Or am I misinterpreting?

☝️ Does this seem reasonable? Or am I mistaken or misunderstanding your use-case?

hriprsd commented 3 years ago

Hey!. Thanks for your response. The config should not have secrets - correct. But maybe a config has some endpoints etc which i don't want others(other teams) to know. I might be taking of a one off case but can that possibility be considered please? Am new to all this, my question might be silly, please excuse.

On Mon, 8 Feb, 2021, 19:31 Mike Ball, notifications@github.com wrote:

@hriprsd https://github.com/hriprsd I believe this is a duplicate of issue #12 https://github.com/mdb/concourse-consul-kv-resource/issues/12, which I don't believe is a valid issue.

This enables anyone (even without access to consul) can view the KV stored in the concourse ui

☝️ Regarding this point, I believe this is not entirely accurate, IIUC. I believe it's more accurate to say this allows anyone with an RBAC role that grants them viewing access https://concourse-ci.org/user-roles.html to view the K/V via the Concourse UI. Furthermore, this is also true of any other Concourse resource whose metadata is surfaced to Concourse.

As I asked in issue #12 https://github.com/mdb/concourse-consul-kv-resource/issues/12 ...

Are you suggesting that concourse-consul-kv-resource prints the values of the Consul k/v pairs it tracks? If so, that is expected, no? If the k/v pairs are secrets, I would think they should be stored in a proper secrets manager, such as Vault https://www.vaultproject.io/ and not fetched directly via the concourse-consul-kv-resource. Or am I misinterpreting?

☝️ Does this seem reasonable? Or am I mistaken or misunderstanding your use-case?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mdb/concourse-consul-kv-resource/issues/13#issuecomment-775170854, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFPAKL5VXIYEX3OCTTSSOR3S57VEFANCNFSM4XENOOUA .