In a recent update I saw mention of password_fields being encrypted encrypted. How does this work? I am running “ondemand-3.1.14-1”. When I set up a form field with “widget: password_field” I still see the password listed in clear text in the user_defined_context.json. Is there a way to prevent passwords that are entered from being leaked?

In a seperate question but related is there a way to pass information entered in a form to the users environment before the job is executed via environment variable, output to a text file, or file descriptor? What I am trying to do is have information entered in a field that is then accessible by a prolog or Slurm SPANK plugin.

Thanks!
Steve

Yea I think you can use job_environment as a part of the script object in submit.yml.erb to issue sbatch with an environment variable.

Thanks, the job_environment may be handy for wrangling some of this. I have been playing around and having some luck simply adding some ruby before the — in the submit.yml.erb.

I do still see the password being listed in clear text in the user_defined_context.json. Is there a way to prevent this from being logged? At what point is this written? Would it be possible to unset this value before the .json file is written?

Thanks!

I would have to do some investigation on that point. I’m not sure, but I’ll try to get it patched soon.

Success!!?

This is still very much a work in progress and may still not totally fulfill the need. I will explain a bit more for others curiosity.

What I am doing is reading a password in from my form.yml.erb like the following.

lukspass:
widget: password_field
help: “Enter encrypted container password”
label: “Encrypted File Container password”
show_files: false
cacheable: false

The issue is then getting this password into the app in a secure way. I had thought that setting cachable false would help with this. In the job output folder the file user_defined_context.json still clearly lists the value of the password_field. It looks like this is populated by batch_connect in the submit.yml.erb. The following is the top of my submit.yml.erb before batch_connect.

<%

require ‘fileutils’

Define keyfile path in user’s home directory

keyfile_path = File.join(Dir.home, “.keyfile”)

Set this for later use

ENV[‘LUKSPASS_FILE’] = keyfile_path

Make sure the parent directory exists

FileUtils.mkdir_p(File.dirname(keyfile_path))

Write the password from the form to the keyfile

File.open(keyfile_path, ‘w’) do |f|

f.puts lukspass

end

Set secure permissions: user read/write only

File.chmod(0600, keyfile_path)

Overwrite and clear lukspass

lukspass.replace(“X” * lukspass.length) if lukspass.respond_to?(:replace)

lukspass = nil

Optionally trigger garbage collection (not guaranteed, but helpful)

GC.start

%>

batch_connect:

I now see that it is at least being obscured in the user_defined_context.json.

$ grep lukspas user_defined_context.json
“lukspass”: “XXXXXXXXX”,

From here the resulting password can be used by a Slurm SPANK plugin. This may still not be the best way of going about this but may be handy if anyone is running into a similar situation and would like to prevent things from being written in clear text.