ceph-salt
ceph-salt copied to clipboard
ceph
Give users the option of not exporting the SSH private key
There are two use cases for "ceph-salt export". The first use case is: "I want to export the configuration so I can import it later". The second is: "I want to export the configuration so I can examine it later".
The former use case ("for import") requires that the export be complete, including the SSH private key. The latter use case is for examination by humans, who do not need to see the SSH private key.
Since giving one's SSH private key to other humans is considered "unsafe", it makes sense to implement an option to "ceph-salt export" that would "expurgate" (omit) the SSH private key. Instead of:
"private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAruZlmrGkAiI6e4LcdiA0q5W+pbJKkRUMMz
LvsH9P6XC7/8D8\nmiFmYHbFN9sYQIrr1sYUjY5+nLV2vuJAKP0eAmwBI4k+142HYyxaSWEOuf8m3dtK\naQz69Cfwf+qpg1fq/0Gh2
LzFi8BFNHIZD4lW7SrC/9c0BkmQ4NxFjO7rmUn/s0tB\nzaV4s/NzUY8b9tAu5+UA3MJjUK2g56kPZaO2DlyG/5IqQnVn/N46Aoye3j
jmxtjc\n8Ui0Pefayu+nwPcciD7EgRyLNvs3Haqvq0jTurRyGnaAys1tVrRrzHtWngXLbUxA\nM3bAx8AqItPGfs9gX5ukLS3nzUEOZ
wQ83rbrKQIDAQABAoIBAE7eZHjynCO+LaMe\nqq217ipl11e+43MzC5JW6NEtR+rbxFsbOo2CfDkJtftvGCuauajbH8+JrzyZc9e2\n
DPqu0YaED6tnq2fmUWP+TySB2PM0xOEMjyx6Bvxsuj3kotYwoi7C+OnUjjxr0olI\n3lYsN3+xZcea0sH3EJblnZNk9ebkQcqE6RTyW
QEIg0mIBDath/XSh6CD4Ae2oL45\nWfRLmWAtZZm3ckQoCE0FUDQfjOmn5vmnMamvboGKdCvOLEUmvv6W03AspvSAmhaq\nVNkLxvLi
3GlloDkFKw0WuN19INkulTyLH3m8c4UV3G5J3bCsa/jeAkSYELeDb8M5\nZytudoUCgYEA0btrq0s1GDTgMrKYIHbP2FtCD4B9kGHsf
4WAktLbanpLuXLZJ9R+\nMAt/MfkMlrV4NTEQx2bfxaIF/YPICeP7R/aibD10F21d4kAND+ExiVXUNQAc09qi\njWQzn0ue6SyHA4nB
neJuag8hd4jJ4sM6DkMkThBfJ4AOIAmkJNUgqyMCgYEA1XvW\nylaCGcO6m3aT+S5eeb3cVgRkoKjcRkB8j/Z/yzQYyqWVWLXlTPu+U
xWah6RZd487\nONmDnoitltmxksxrymemzwjUst/fQ7zgeeWUfQUhzUTh4u8ZPwYJ7wndnIDkrExI\nwZ1xu2QWwQyfUPPK6wjl4Eo6
+f8vG81PO8M760MCgYEAqRVDCTa5mElQki6/TDTc\n/Z0c1eiN0i/P/ULA1B2f/OiZUenQPjcmgE9UfRI+XuXwAloLH+bE8szbrXVneOnO\ndEbWzRKCHDz0mmlu3mV7jS+fxBbSJs21jO3CXGMXuv5F3slZSZL51xFZtseVkvY3\nQLZKd5DlVa/8M0HyjiswiicCgYA9RPqDPcq/DD6tSZ30YQt6UzQ+d6pNtcjqXK2j\nP7KzpjMLTfSL7kBuFL4t6EBed5u5xaDQkxTEViPD7JybLhItmAv21Wj+IWRZc4bV\nVT+Flgh6ei9+SvLq9Je7RBCXTyLSFF65Oq+egX5KT44V1LJDPF2FPqiogUWK7CS2\nWTUEMwKBgCfzNARwAfOQBgRLqygFlztUwklBGOD806uVeqVpSKp/abznfLnP8gE8\nU/5sZihpfL0b2S1N3AoXS/wxUAYKM/7qW3Cb8a1xvIhKjXVy0gMf2TWiqB2Yt4tw\na6OGXFkHorMA641iNNA2nG++OXEhZO2O2GTKOBMpEEqVcIa2SrCl\n-----END RSA PRIVATE KEY-----",
it would say:
"private_key": "EXPURGATED"
The option could be called either --safe or --expurgate.
UPDATE: it should expurgate password: too.
A little bird just chirped into my ear that supportconfig already tries to handle this: https://github.com/SUSE/supportutils-plugin-ses/blob/master/ses#L296-L299
But I think it still makes sense to give users this option. It will make users feel safer, and make the supportutils-plugin-ses code easier to read, at the same time.
