Whitelisting of environment variables
mdeeks opened this issue · 9 comments
Environment variables often contain sensitive information like API keys and other secrets. It would be nice if there was a way to whitelist which environment variable values are allowed to be displayed. Displaying the variable name is probably fine in all cases, its the value that needs to be hidden (even when behind HTTP basic auth).
The other option is blacklisting but that makes it easy to miss things. Would it be possible to add this?
So the use-case is to limit exposure of various keys even though most of the people are trusted enough to view the node through psdash? If so, I agree, it makes sense.
I think I'd keep the default as it is though. But if a whitelist is given only the specified variables are listed with values.
I'll look into adding this as a PSDASH_ENVIRON_WHITELIST (or similar) configuration option that is a list of variable keys.
Yep, exactly what I meant. The default is probably what most people want. Only hide values when a whitelist is provided. Thanks for looking into this!
Also any chance on pushing a new release with your file based config option fixes?
Yupp, I'll add the whitelist option and and create a new release. Probably this weekend.
My paranoia module says that psdash traffic can be sniffed over WiFi in trusted networks,
@techtonik Sounds like a different topic. But it's up to the user to ensure that psdash and it's traffic is not available for untrused users. The web interface is available through HTTPS and traffic between agent nodes and the master node should be on an internal network.
Sounds fair.
And a new release has now been uploaded to pypi.
Thanks! I'll test this out tonight.