[ZBXNEXT-2957] Ability to mask macros in the frontend Created: 2015 Sep 15  Updated: 2024 Apr 10  Resolved: 2020 Mar 16

Status: Closed
Project: ZABBIX FEATURE REQUESTS
Component/s: Frontend (F)
Affects Version/s: 2.2.10, 2.4.6, 3.0.0alpha2
Fix Version/s: 5.0.0alpha3, 5.0 (plan)

Type: New Feature Request Priority: Trivial
Reporter: Raymond Kuiper Assignee: Roberts Lataria (Inactive)
Resolution: Fixed Votes: 32
Labels: macros, security
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Attachments: PNG File After_5_lines.png     PNG File after_max_lines.png     PNG File before_5_lines.png     PNG File before_max_lines.png     GIF File exposing_hidden_macro_value.gif     GIF File hiding_macros.gif     GIF File item_name_unhidden_macro.gif     GIF File item_test_secret_macro.gif     GIF File lost_secret_value.gif     GIF File menu_allocation.gif     GIF File reset_secret_macro.gif     GIF File resize_new_macro.gif     GIF File resize_on_type_change.gif     GIF File revert_unsaved_macro.gif    
Issue Links:
Causes
Duplicate
Sub-task
Sub-Tasks:
Key
 Summary
 Type
 Status
 Assignee
ZBXNEXT-5708 Ability to mask macros (backend) Specification change (Sub-task) Closed Andris Zeila  
Team: Team D
Sprint: Sprint 60 (Jan 2020), Sprint 61 (Feb 2020), Sprint 62 (Mar 2020)
Story Points: 3

 Description   

Sometimes, Macros are used to store sensitive information like passwords or shared keys. (think VMWare, Telnet, SNMP).

When viewing the macros that are configured on a host these are put on screen without any masking. This would allow someone looking over your shoulder to easily spot these secrets. This is even more of a risk in 3.0 where we will be seeing all inherited macros as well.

To prevent this scenario, I would like to be able to specify if a macro should be masked in the frontend, perhaps via a checkbox. To see the macro value one should click on a 'unveil' button or icon.

 Comments   
Comment by Marc [ 2015 Sep 15 ]

ZBXNEXT-2461 asks for option to hide values of input fields dedicated to sensitive information.

Comment by Marc [ 2015 Sep 15 ]

Personally I'd rather like to see something like ZBXNEXT-1660 instead

Comment by Raymond Kuiper [ 2015 Sep 15 ]

Marc, I agree. However ZBXNEXT-1660 has MAJOR impact and a lot of development work!

ZBXNEXT-2461 is indeed related, but I'm specifically asking for this functionality in the 'Macros' section of host and template configs and global macros section as we tend to put secrets in macros and not specify them directly on a host.

ZBXNEXT-2957 could be implemented quite quickly in my opinion, we only have to assign a 'mask' flag to the macros in the database and add some GUI elements in the frontend.
This simple change will allow me to work more comfortably in an open space office, train or other (semi-)public place without having to worry about this stuff being visible. Heck, it's even useful for ad-hoc demos at customers

* Like I mentioned before, I'm especially worried about 3.0 as that would also list global macros in the host macro configuration. *

Comment by Slava Nazin [ 2018 Feb 12 ]

We need the ability to hide global macros too. Just imagine, that you can give read-write permisions to only one host group for some users. And they can see all of Global macroses in your zabbix installation in "inherited and host macros" menu. So we can't use it (global macros) for ids/passwords for some connections (JMX etc.)

Comment by James Howe [ 2019 May 28 ]

Note that macro values appear everywhere that any key using them appears.

That includes most pages in the UI, message actions, etc.

Comment by Aigars Kadikis [ 2019 Sep 12 ]

Some deeper vision of the solution to this problem is mentioned in PS-664.

Comment by Alexei Vladishev [ 2020 Jan 24 ]

It is highly likely that this functionality will be implemented in Zabbix 5.0, stay tuned!

Comment by Roman Rajniak [ 2020 Jan 27 ]

Also new addition to macros table structure could be evidence of ownership for each MACRO to controll Read or Read/Write of macrovalue, like in implementation ownership/sharing of dashboards,maps,... .

Comment by Roberts Lataria (Inactive) [ 2020 Feb 14 ]

Resolved in development branch feature/ZBXNEXT-2957-4.5.

Comment by Roberts Lataria (Inactive) [ 2020 Mar 11 ]

Available in:

Comment by Roberts Lataria (Inactive) [ 2020 Mar 15 ]

Documentation updated:

Comment by sbindley [ 2020 Apr 13 ]

I'm using 5.0alpha4 and testing against some python scripts I use for LLD. I'm trying to get userid/password i set as global macros and I'm seeing the value field is not returned by the API if the macro is set to secret text. Is there a new flag in the API we can set for macro.get to retrieve the value?

Comment by Roberts Lataria (Inactive) [ 2020 Apr 14 ]

Hello, [email protected]. No, API doesnot have special flag to retrive secret macro value.

Generated at Thu Apr 25 03:25:20 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.