Skip to content

Add SafeDict/SafeList pillar wrapping with Pydantic secrets, output redaction, and no_log #68907

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Akm0d wants to merge 41 commits into
base: master
Choose a base branch
from
Open

Add SafeDict/SafeList pillar wrapping with Pydantic secrets, output redaction, and no_log #68907

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
d96f974
Add SafeDict/SafeList pillar wrapping with Pydantic secrets, output r…
Akm0d Apr 7, 2026
7e36e37
pass pre-commit
Akm0d Apr 7, 2026
fbea7e8
fully pass local pre-commit
Akm0d Apr 8, 2026
1bbb4f4
revert changed file permissions
Akm0d Apr 8, 2026
4bebb39
Fix failing tests
Akm0d Apr 8, 2026
91f900b
Fix tests
Akm0d Apr 8, 2026
bb3aa7b
ensure salt-thin tests pass
Akm0d Apr 9, 2026
cafcdaf
Fix minion blackout whitelist with wrapped pillar
Akm0d Apr 9, 2026
acf7714
add pydantic to requirements with pre-commit
Akm0d Apr 15, 2026
ece3d2c
msgpack: unwrap safepillar types and Pydantic secrets in payload encoder
Akm0d Apr 15, 2026
45dcbbe
Access pillar data while rendering pillars
dwoz Apr 8, 2023
39e2f20
Fix unit test
dwoz Nov 8, 2023
57ace72
Add test from alt PR
dwoz Nov 8, 2023
118ffc1
Fix matchers using pillar in opts
dwoz Dec 18, 2023
26778dc
Add changelog for #65724
dwoz Dec 18, 2023
c21d59a
Fix linter
dwoz Dec 18, 2023
0a53de5
Fix typo
dwoz Apr 8, 2024
ce937c6
Fix test assertion for ext_pillar_first
dwoz Apr 4, 2026
1136d72
Address frebib's PR comments: ensure opts['pillar'] is set in __init_…
dwoz Apr 5, 2026
0b01d99
Fix linter: remove trailing newlines
dwoz Apr 5, 2026
e2bc089
Fully address frebib's suggestions: update loader pack instead of rel…
dwoz Apr 5, 2026
dbe8d53
Fix circular reference in Pillar when pillar_opts is True
dwoz Apr 5, 2026
5759938
Fix integration regression: preserve master ID in ext_pillar_opts
dwoz Apr 6, 2026
27a374a
Final cleanup: surgical pillar data access, fixed regressions, and br…
dwoz Apr 9, 2026
d443349
Final cleanup: remove dangerous updates to pillar_data and ensure int…
dwoz Apr 9, 2026
fca0746
Final cleanup: pop __context__ from master opts to prevent circular r…
dwoz Apr 10, 2026
038d28a
Final verified cleanup: resolved circular references and integration …
dwoz Apr 12, 2026
4a55ae1
Final verified fix: restore opts['pillar'] assignment for matchers in…
dwoz Apr 12, 2026
348137b
Final verified cleanup: removed circular references and fixed integra…
dwoz Apr 12, 2026
49ee90a
Final verified fix for Pillar regressions: resolved circular referenc…
dwoz Apr 13, 2026
062dac7
Final verified cleanup: resolved circular references, integration reg…
dwoz Apr 13, 2026
989caa7
Add changelog for #64043
dwoz Apr 13, 2026
c390d73
Add explicit tests for pillar_opts, ssh_merge_pillar, decrypt_pillar …
dwoz Apr 14, 2026
0bb3be7
Fix formatting and final logic verification for dunder pillar
dwoz Apr 14, 2026
f6c8d62
Fix log of dead processes in reap_stray_processes
m-czernek Apr 13, 2026
b211f87
pass pre-commit
Akm0d Apr 15, 2026
aebe564
safepillar: only redact credential-like pillar branches; unwrap for J…
Akm0d Apr 15, 2026
f3db6d1
Merge branch 'master' into fix/67367-mask-pillar
Akm0d Apr 15, 2026
c47ba32
Merge branch 'master' into fix/67367-mask-pillar
Akm0d Apr 16, 2026
74ffa17
Merge branch 'master' into fix/67367-mask-pillar
Akm0d Apr 16, 2026
f203cf6
pass pre-commit
Akm0d Apr 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog/68907.added.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Pillar data is now wrapped in SafeDict/SafeList with Pydantic SecretStr/SecretBytes for safer logging and output; optional state `no_log` and automatic redaction of pillar literals in state returns and minion job logs.
17 changes: 17 additions & 0 deletions doc/topics/tutorials/pillar.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,23 @@ Arbitrary Data:
so a key/value store can be defined making it easy to iterate over a group
of values in sls formulas.

.. versionadded:: 3008

On the minion, compiled pillar is stored using :mod:`salt.utils.safepillar`
containers: string and bytes leaves are wrapped with Pydantic ``SecretStr`` and
``SecretBytes``, and mappings/lists use ``SafeDict`` / ``SafeList`` so later
in-place updates stay wrapped. State returns and minion logs redact known pillar
literals where possible. States may set ``no_log: true`` (runtime keyword, not
passed to the state function) to mask that state's ``comment`` and ``changes``
in output. Custom code that assumes ``isinstance(value, str)`` for pillar
values may need to use ``get_secret_value()`` on secret types or compare with
``SecretStr``.

The execution functions ``pillar.items`` and ``pillar.get`` are exceptions: they
return plain Python strings, bytes, dicts, and lists (unwrapped) because the
operator explicitly asked for pillar data. Other code paths use wrapped
in-memory pillar unless they call those functions.

Pillar is therefore one of the most important systems when using Salt. This
walkthrough is designed to get a simple Pillar up and running in a few minutes
and then to dive into the capabilities of Pillar and where the data is
Expand Down
1 change: 1 addition & 0 deletions requirements/base.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ psutil>=5.0.0; python_version >= '3.10'
pymssql>=2.2.1; sys_platform == 'win32' and python_version < '3.11'
pymssql==2.3.11; sys_platform == 'win32' and python_version >= '3.11'
pymysql>=1.0.2; sys_platform == 'win32'
pydantic>=2.4.0
pyopenssl>=25.0.0
python-dateutil>=2.8.1
python-gnupg>=0.4.7
Expand Down
23 changes: 23 additions & 0 deletions requirements/static/ci/py3.10/cloud.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,11 @@ aiosignal==1.4.0
# -c requirements/static/ci/py3.10/linux.txt
# -c requirements/static/pkg/py3.10/linux.txt
# aiohttp
annotated-types==0.7.0
# via
# -c requirements/static/ci/py3.10/linux.txt
# -c requirements/static/pkg/py3.10/linux.txt
# pydantic
apache-libcloud==3.9.0
# via
# -c requirements/static/ci/py3.10/linux.txt
Expand Down Expand Up @@ -439,6 +444,16 @@ pycryptodomex==3.19.1
# -c requirements/static/ci/py3.10/linux.txt
# -c requirements/static/pkg/py3.10/linux.txt
# -r requirements/crypto.txt
pydantic==2.12.5
# via
# -c requirements/static/ci/py3.10/linux.txt
# -c requirements/static/pkg/py3.10/linux.txt
# -r requirements/base.txt
pydantic-core==2.41.5
# via
# -c requirements/static/ci/py3.10/linux.txt
# -c requirements/static/pkg/py3.10/linux.txt
# pydantic
pyfakefs==5.3.1
# via
# -c requirements/static/ci/py3.10/linux.txt
Expand Down Expand Up @@ -725,9 +740,17 @@ typing-extensions==4.15.0
# aiosignal
# cryptography
# multidict
# pydantic
# pydantic-core
# pyopenssl
# pytest-system-statistics
# typing-inspection
# virtualenv
typing-inspection==0.4.2
# via
# -c requirements/static/ci/py3.10/linux.txt
# -c requirements/static/pkg/py3.10/linux.txt
# pydantic
urllib3==2.6.3
# via
# -c requirements/static/ci/py3.10/linux.txt
Expand Down
19 changes: 19 additions & 0 deletions requirements/static/ci/py3.10/darwin.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ aiosignal==1.4.0
# via
# -c requirements/static/pkg/py3.10/darwin.txt
# aiohttp
annotated-types==0.7.0
# via
# -c requirements/static/pkg/py3.10/darwin.txt
# pydantic
apache-libcloud==3.9.0
# via
# -c requirements/static/pkg/py3.10/darwin.txt
Expand Down Expand Up @@ -323,6 +327,14 @@ pycryptodomex==3.19.1
# via
# -c requirements/static/pkg/py3.10/darwin.txt
# -r requirements/crypto.txt
pydantic==2.12.5
# via
# -c requirements/static/pkg/py3.10/darwin.txt
# -r requirements/base.txt
pydantic-core==2.41.5
# via
# -c requirements/static/pkg/py3.10/darwin.txt
# pydantic
pyfakefs==5.3.1
# via -r requirements/pytest.txt
pygit2==1.13.1
Expand Down Expand Up @@ -504,9 +516,16 @@ typing-extensions==4.15.0
# aiosignal
# cryptography
# multidict
# pydantic
# pydantic-core
# pyopenssl
# pytest-system-statistics
# typing-inspection
# virtualenv
typing-inspection==0.4.2
# via
# -c requirements/static/pkg/py3.10/darwin.txt
# pydantic
urllib3==2.6.3
# via
# -c requirements/static/pkg/py3.10/darwin.txt
Expand Down
19 changes: 19 additions & 0 deletions requirements/static/ci/py3.10/docs.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ aiosignal==1.4.0
# aiohttp
alabaster==0.7.13
# via sphinx
annotated-types==0.7.0
# via
# -c requirements/static/ci/py3.10/linux.txt
# pydantic
apache-libcloud==3.9.0
# via
# -c requirements/static/ci/py3.10/linux.txt
Expand Down Expand Up @@ -216,6 +220,14 @@ pycryptodomex==3.19.1
# via
# -c requirements/static/ci/py3.10/linux.txt
# -r requirements/crypto.txt
pydantic==2.12.5
# via
# -c requirements/static/ci/py3.10/linux.txt
# -r requirements/base.txt
pydantic-core==2.41.5
# via
# -c requirements/static/ci/py3.10/linux.txt
# pydantic
pyenchant==3.2.2
# via sphinxcontrib-spelling
pygments==2.17.2
Expand Down Expand Up @@ -316,8 +328,15 @@ typing-extensions==4.15.0
# aiosignal
# cryptography
# multidict
# pydantic
# pydantic-core
# pyopenssl
# typing-inspection
# virtualenv
typing-inspection==0.4.2
# via
# -c requirements/static/ci/py3.10/linux.txt
# pydantic
uc-micro-py==1.0.2
# via linkify-it-py
urllib3==2.6.3
Expand Down
19 changes: 19 additions & 0 deletions requirements/static/ci/py3.10/freebsd.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ aiosignal==1.4.0
# via
# -c requirements/static/pkg/py3.10/freebsd.txt
# aiohttp
annotated-types==0.7.0
# via
# -c requirements/static/pkg/py3.10/freebsd.txt
# pydantic
apache-libcloud==3.9.0
# via
# -c requirements/static/pkg/py3.10/freebsd.txt
Expand Down Expand Up @@ -341,6 +345,14 @@ pycryptodomex==3.19.1
# via
# -c requirements/static/pkg/py3.10/freebsd.txt
# -r requirements/crypto.txt
pydantic==2.12.5
# via
# -c requirements/static/pkg/py3.10/freebsd.txt
# -r requirements/base.txt
pydantic-core==2.41.5
# via
# -c requirements/static/pkg/py3.10/freebsd.txt
# pydantic
pyfakefs==5.3.1
# via -r requirements/pytest.txt
pyinotify==0.9.6 ; platform_system != 'openbsd' and sys_platform != 'darwin' and sys_platform != 'win32'
Expand Down Expand Up @@ -568,9 +580,16 @@ typing-extensions==4.15.0
# aiosignal
# cryptography
# multidict
# pydantic
# pydantic-core
# pyopenssl
# pytest-system-statistics
# typing-inspection
# virtualenv
typing-inspection==0.4.2
# via
# -c requirements/static/pkg/py3.10/freebsd.txt
# pydantic
urllib3==2.6.3
# via
# -c requirements/static/pkg/py3.10/freebsd.txt
Expand Down
23 changes: 23 additions & 0 deletions requirements/static/ci/py3.10/lint.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,11 @@ aiosignal==1.4.0
# -c requirements/static/ci/py3.10/linux.txt
# -c requirements/static/pkg/py3.10/linux.txt
# aiohttp
annotated-types==0.7.0
# via
# -c requirements/static/ci/py3.10/linux.txt
# -c requirements/static/pkg/py3.10/linux.txt
# pydantic
ansible==10.7.0
# via
# -c requirements/static/ci/py3.10/linux.txt
Expand Down Expand Up @@ -461,6 +466,16 @@ pycryptodomex==3.19.1
# -c requirements/static/ci/py3.10/linux.txt
# -c requirements/static/pkg/py3.10/linux.txt
# -r requirements/crypto.txt
pydantic==2.12.5
# via
# -c requirements/static/ci/py3.10/linux.txt
# -c requirements/static/pkg/py3.10/linux.txt
# -r requirements/base.txt
pydantic-core==2.41.5
# via
# -c requirements/static/ci/py3.10/linux.txt
# -c requirements/static/pkg/py3.10/linux.txt
# pydantic
pygit2==1.13.1
# via
# -c requirements/static/ci/py3.10/linux.txt
Expand Down Expand Up @@ -733,8 +748,16 @@ typing-extensions==4.15.0
# astroid
# cryptography
# multidict
# pydantic
# pydantic-core
# pyopenssl
# typing-inspection
# virtualenv
typing-inspection==0.4.2
# via
# -c requirements/static/ci/py3.10/linux.txt
# -c requirements/static/pkg/py3.10/linux.txt
# pydantic
urllib3==2.6.3
# via
# -c requirements/static/ci/py3.10/linux.txt
Expand Down
19 changes: 19 additions & 0 deletions requirements/static/ci/py3.10/linux.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@ aiosignal==1.4.0
# via
# -c requirements/static/pkg/py3.10/linux.txt
# aiohttp
annotated-types==0.7.0
# via
# -c requirements/static/pkg/py3.10/linux.txt
# pydantic
ansible==10.7.0
# via -r requirements/static/ci/linux.in
ansible-core==2.17.14
Expand Down Expand Up @@ -351,6 +355,14 @@ pycryptodomex==3.19.1
# via
# -c requirements/static/pkg/py3.10/linux.txt
# -r requirements/crypto.txt
pydantic==2.12.5
# via
# -c requirements/static/pkg/py3.10/linux.txt
# -r requirements/base.txt
pydantic-core==2.41.5
# via
# -c requirements/static/pkg/py3.10/linux.txt
# pydantic
pyfakefs==5.3.1
# via -r requirements/pytest.txt
pygit2==1.13.1
Expand Down Expand Up @@ -571,9 +583,16 @@ typing-extensions==4.15.0
# aiosignal
# cryptography
# multidict
# pydantic
# pydantic-core
# pyopenssl
# pytest-system-statistics
# typing-inspection
# virtualenv
typing-inspection==0.4.2
# via
# -c requirements/static/pkg/py3.10/linux.txt
# pydantic
urllib3==2.6.3
# via
# -c requirements/static/pkg/py3.10/linux.txt
Expand Down
23 changes: 21 additions & 2 deletions requirements/static/ci/py3.10/windows.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@ annotated-doc==0.0.4
# via
# -c requirements/static/pkg/py3.10/windows.txt
# typer
annotated-types==0.7.0
# via
# -c requirements/static/pkg/py3.10/windows.txt
# pydantic
apache-libcloud==3.9.0
# via
# -c requirements/static/pkg/py3.10/windows.txt
Expand Down Expand Up @@ -314,15 +318,23 @@ pycryptodomex==3.23.0
# via
# -c requirements/static/pkg/py3.10/windows.txt
# -r requirements/crypto.txt
pydantic==2.12.5
# via
# -c requirements/static/pkg/py3.10/windows.txt
# -r requirements/base.txt
pydantic-core==2.41.5
# via
# -c requirements/static/pkg/py3.10/windows.txt
# pydantic
pyfakefs==5.3.1
# via -r requirements/pytest.txt
pygit2==1.13.1
# via -r requirements/static/ci/windows.in
pygments==2.19.2
pygments==2.20.0
# via
# -c requirements/static/pkg/py3.10/windows.txt
# rich
pymssql==2.3.11
pymssql==2.3.1
# via
# -c requirements/static/pkg/py3.10/windows.txt
# -r requirements/base.txt
Expand Down Expand Up @@ -522,9 +534,16 @@ typing-extensions==4.15.0
# aiosignal
# cryptography
# multidict
# pydantic
# pydantic-core
# pyopenssl
# pytest-system-statistics
# typing-inspection
# virtualenv
typing-inspection==0.4.2
# via
# -c requirements/static/pkg/py3.10/windows.txt
# pydantic
urllib3==2.6.3
# via
# -c requirements/static/pkg/py3.10/windows.txt
Expand Down
23 changes: 23 additions & 0 deletions requirements/static/ci/py3.11/cloud.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,11 @@ aiosignal==1.4.0
# -c requirements/static/ci/py3.11/linux.txt
# -c requirements/static/pkg/py3.11/linux.txt
# aiohttp
annotated-types==0.7.0
# via
# -c requirements/static/ci/py3.11/linux.txt
# -c requirements/static/pkg/py3.11/linux.txt
# pydantic
apache-libcloud==3.9.0
# via
# -c requirements/static/ci/py3.11/linux.txt
Expand Down Expand Up @@ -429,6 +434,16 @@ pycryptodomex==3.19.1
# -c requirements/static/ci/py3.11/linux.txt
# -c requirements/static/pkg/py3.11/linux.txt
# -r requirements/crypto.txt
pydantic==2.12.5
# via
# -c requirements/static/ci/py3.11/linux.txt
# -c requirements/static/pkg/py3.11/linux.txt
# -r requirements/base.txt
pydantic-core==2.41.5
# via
# -c requirements/static/ci/py3.11/linux.txt
# -c requirements/static/pkg/py3.11/linux.txt
# pydantic
pyfakefs==5.3.1
# via
# -c requirements/static/ci/py3.11/linux.txt
Expand Down Expand Up @@ -709,8 +724,16 @@ typing-extensions==4.14.1
# -c requirements/static/ci/py3.11/linux.txt
# -c requirements/static/pkg/py3.11/linux.txt
# aiosignal
# pydantic
# pydantic-core
# pyopenssl
# pytest-system-statistics
# typing-inspection
typing-inspection==0.4.2
# via
# -c requirements/static/ci/py3.11/linux.txt
# -c requirements/static/pkg/py3.11/linux.txt
# pydantic
urllib3==2.6.3
# via
# -c requirements/static/ci/py3.11/linux.txt
Expand Down
Loading
Loading