yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1931392] [NEW] sensitive metadata and jinja templates

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Peter Surda <1931392@xxxxxxxxxxxxxxxxxx>
Date: Wed, 09 Jun 2021 10:34:20 -0000
Reply-to: Bug 1931392 <1931392@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

The documentation doesn't explain well how to use sanitized metadata
(that will show up in instance-data-sensitive.json rather than instance-
data.json) with jinja templates inside user-data. As far as I can see,
it doesn't work. The source code mentions two magic keys that are
sanitized: "merged_cfg" and "security-credentials". Defining variables
with these names inside meta-data correctly sanitizes them and only puts
them inside files only readable by root, however then they don't work
inside user-data as jinja templates (as "{{ds.meta_data.security-
credentials}}", for example), they are instead replaced by
CI_MISSING_JINJA_VAR. Using differently named variables makes the
template work, but they aren't sanitized in the logs/runtime files.

In what way, if any, this is supposed to work? Should I instead just
chmod the relevant log/runtime files through an entry in bootcmd?

** Affects: cloud-init
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1931392

Title:
  sensitive metadata and jinja templates

Status in cloud-init:
  New

Bug description:
  The documentation doesn't explain well how to use sanitized metadata
  (that will show up in instance-data-sensitive.json rather than
  instance-data.json) with jinja templates inside user-data. As far as I
  can see, it doesn't work. The source code mentions two magic keys that
  are sanitized: "merged_cfg" and "security-credentials". Defining
  variables with these names inside meta-data correctly sanitizes them
  and only puts them inside files only readable by root, however then
  they don't work inside user-data as jinja templates (as
  "{{ds.meta_data.security-credentials}}", for example), they are
  instead replaced by CI_MISSING_JINJA_VAR. Using differently named
  variables makes the template work, but they aren't sanitized in the
  logs/runtime files.

  In what way, if any, this is supposed to work? Should I instead just
  chmod the relevant log/runtime files through an entry in bootcmd?

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1931392/+subscriptions

Follow ups

[Bug 1931392] Re: sensitive metadata and jinja templates
From: James Falcon, 2021-08-23