Possibility to fine-tune the scrubbing behaviour of OsEnvironmentVariableProvider?
thurse93 opened this issue · 6 comments
As the title says, could you provide a feature to customize the scrubbing behaviour OsEnvironmentVariableProvider / the scrub_secrets function? Even better: Is there a way to remove certain environment variables from the systemEnvironment dict alltogether?
Background: We are using Pyctuator in our CloudFoundry PaaS environment. CloudFoundry uses VCAP_SERVICES variables to provide service credentials via a JSON Blob. Of course, this cannot be scrubbed by the default implementation, so almost all of our sensible credentials are getting exposed via the Actuator Endpoints. We would prefer to just exclude VCAP_SERVICES from the exposed environment variables.
Hi @thurse93, I'm very glad to hear of your usage.
Of course it could be done, maybe by supporting a "block list", let me check (I have vague memory its already possible but need to dig a bit).
Michael
Hi,
I'm back... busy times.
I'm contemplating what's better:
- Allow to customize the behavior of the scrubber
- Allow to set your own scrubber
- Add some sort of "forbidden" keys/variables
Hi @michaelyaakoby,
oh, I can relate!
For our use case number three would be sufficient. In case of 1 and 2 in may be desirable to have some kind of scrubber chain or at least to have the option of building upon the current implementation during customization. I think the default scrubber works quite well and most of the time people want to add some functionality instead of revealing the already scrubbed secrets.
@michaelyaakoby Alright, so if I understand this correctly
a) you have the possibility to alter the keys being scrubbed by extending the pattern in the constructor
b) you have the possibility to define your own custom scrubber with a completely different behaviour
c) through inheritance you have the possibility to add custom scrubbing behaviour on top of the default scrubber
Sounds like a pretty good solution to me.
Released 0.18.1