Feature Request: Extensible "Description" property on [SecretInformation] #46
Comments
|
Issue-Label Bot is automatically applying the label Links: app homepage, dashboard and code for this bot. |
|
Implemented 'Description' registry field in preview6. |
|
@PaulHigin Unless I'm missing something your commit is about adding a description field to the Vault. I'm talking about adding an extensible property to SecretInformation so additional metadata about the secret can be provided and users can consume/filter/sort based on those properties rather than just the name, so I think this should be reopened. |
|
Yes, thanks. Not sure what I was thinking except it seemed to make sense for vault info as well. What I had in mind was to add a string 'Description' field to the secret meta data. I don't want to add an 'object' type field as that makes it difficult to store. Another option is to add a 'Tags' field that takes a string array. Either would help sorting. Right now I am leaning toward the Description field as 'Tags' just feels like alternate names. |
|
@PaulHigin That's fine, my only concern is that my immediate want as a consumer will be to abuse this field and store JSON in it so as a secret consumer I can filter on more metadata detail Name-Value tags as a dictionary[string,string] would be a good compromise, and again the storage would be left up to the extension, it would just be an optional supplied parameter to the set-secret and get-secret implemented commands Ideal solution in my opinion You could also do This allows extension authors to supply any kind of metadata relevant to the secret info for that extension that consumers who are aware of that metadata can consume, so that they can choose to more efficiently filter (or make cmdlets that use Get-Secret on the backend). The author would just optionally supply the additional information to the Metadata property when returning the secret object when Get-SecretInfo is called, and allow arbitrary settings to be specified with Set-SecretInfo that are secret specific instead of vault specific. For instance, I may want to filter by created/modified/deleted date, I may want to filter by some sort of folder structure the extension provides, I may want to filter by a special kind of tag that 1Password provides, etc. and I shouldn't be hamstrung into the standard properties of a secretInfo for that. Without it, it will just lead to people (like me) abusing description by putting a JSON string in there that a wrapper cmdlet just decodes to then be able to do the filtering. |
|
No, I don't want to force extension vault writers to have to deal with an arbitrary 'object' type. If anything this would be a well defined field type. But we really want to avoid breaking changes so I will look to see if it can be implemented without breaking existing extension vaults. |
|
@PaulHigin I agree minimizing breaking changes at this point now that vaults are out there would be good, that's why I said it would be an optional new field on the $mysecretInfo.metadata = @{
Path='/my/special/path';
IsGroupCredential=$true;
Tags=@{
Environment='Production';
AssociatedServer='Test5'
}`As you see you're not "forcing" them to do anything, and it wouldn't be a breaking change, it's entirely up to them if they want to incorporate it into And then I as a consumer can use that info to filter to find the secret I want.
|
|
Yes, changing SecretInformation type is fine for script functions, but would require binary cmdlets to be recompiled (breaking change). Fortunately, I believe all extension vaults are currently implemented with script functions. Also the field needs to be passed in so |
|
I have the same problem. I build a Pleasant Password Server SecretManagement Extension. At the moment if I call |
|
Not all vaults need or want to deal with extra secret metadata. So I think it makes sense for individual vault implementations to provide this functionality if needed. |
|
@PaulHigin The metadata is optional in the same way the description is. How do you propose Then how about setting secrets with additional information required (e.g. tags, etc.), do you want us to hack the name with a lot of extra special syntax and then have set-secret parse it? Doesn't seem very user friendly to me. Lets take the very common example of creating a new secret that needs both a subfolder organization (e.g. a "Path" metadata parameter) and some tags to describe it. Without being able to specify the metadata at creation, then you're asking the user workflow to be something like this:
When instead it could simply be: And extension authors could instead provide a casting object to go to the Metadata. All secret management is doing is passing through that object, so I don't understand why so much resistance to the idea. |
|
Nothing is ever simple. It is not clear if the metadata should be treated as sensitive data and be protected, and complicates the cmdlets we support. I don't yet see the value for most users and prefer to not add it if it is only rarely needed. At this point it feels to me as something that can be handled as custom vault functionality. But I freely admit I may be wrong, and we can look at adding it if it provides value to most users. |
|
@PaulHigin I would say per most common example above, most password managers have some sort of hierarchy to organize secrets. When creating a new secret, how would you propose a vault implementer create the secret to a specific path? If it's for the vault module to provide an additional wrapper cmdlet around set-secret, why even bother using set-secret in the first place since the whole idea is to standardize the getting and setting of secrets? |
|
Also, per your comment: @PaulHigin So having |
|
Here's another use case: So we need at least some sort of separate property to distinguish the identifier of the secret from what we display to the user.
|
|
We can look into adding an optional Vaults that force users to provide a bunch of extra information for each secret, or to require very long Id strings to identify secrets, feel like a poor user experience. And I wonder if the vault implementation can provide some kind of mapping layer to make the user experience better. |
|
@PaulHigin I'm more concerned about having it for the As a workaround today I use the -Filter like an OData query field basically to be able to filter to the correct info, but it's not very discoverable compared to a metadata field. The module then provides basically a |
|
@JustinGrote How do you suggest the metadata be handled? Should it be treated as sensitive information? I feel it should be considered as non-sensitive information, like secret We would have to make this clear to ensure expectations and vault implementations are consistent. |
|
@PaulHigin I envision it as either a Description: MyTestSecret None of the tags would be required and implementation is completely optional though some "de-facto" standards may emerge from the community that users can potentially come to reliably expect to exist. Implementation would be simply adding the field to the |
|
+1 on this, the vast majority of password managers would need metadata storage to keep at least minimal path or id information, such as a UUID, etc. A generic |
|
And as mentioned it wouldn't break existing implementations because the existing constructor would still exist, and it's optional to consume. I already laid out my more detailed recommendation back in November that is just reiterating what I summarized above. |
|
As a real world example, I am already having to abuse the name field of secretmanagement.chromium because it requires unique secrets and in Chromium browsers secrets are only guaranteed unique by their UID. If I had a metadata field where I could store the UID, I could make the display names less onerous and feel safe displaying them as "Secret", "Secret (2)" etc. because when I need to then go back and get that secret I have the UID to reference in the metadata field.
|
|
We decided this feature is important enough to include in the next RC release. This will be an optional feature for vaults to implement, but Secret metadata is not treated as sensitive and does not have to be stored with encryption. Secret metadata will be a Secret metadata will be included in the The feature will be exposed to users through a new There will also be a new There will be a new Let me know what you think. |
|
@PaulHigin this design looks perfectly good to me! thanks a lot |
|
Sounds directly on par with my request! If the implementation is as you describe that PR can close this issue. I really appreciate you taking the time @PaulHigin to review |
|
@PaulHigin can you update the milestone to RC2? |
|
Implemented in 9de1193 |
Carried over from PowerShell/Modules#31
Summary of the new feature/enhancement
As a powershell user, I sometimes want some more information about what a secret is for, and a provider may be able to provide that additional information in a way that I can programatically query/filter that information.
For example:
Proposed technical implementation details (optional)
Add a
[Object]property to Get-SecretInfo outputSome name possibilities: Notes, Description, Metadata
The provider can populate this property with additional information about the secret. This information would be provider specific and the provider can supply any type of object as long as it has a clean ToString() method to convert it. Most providers may just do a simple string description, others may submit a nested hashtable with properties like created, modified, etc.
Future:
Some natural commonalities like "LastModified","Comment" may become common and should be added to the
[SecretInformation]class designation to standardize them, however this property allows providers to deliver their own extensible information that's important to their provider.The text was updated successfully, but these errors were encountered: