mgr/smb: filter out password fields in sqlite store

Currently, all of ceph orchestration stores sensitive data in the mon
config-key store. Keep doing that by eliding passwords in the sqlite
store but retaining them in the mon based store. Perhaps, in the future
we can even use a 'vault' type store for even better sensitive info
retention.

Signed-off-by: John Mulligan <[email protected]>

Author: phlogistonjohn

src/pybind/mgr/smb/sqlite_store.py

@@ -479,13 +479,30 @@ class MirrorJoinAuths(Mirror):
     def __init__(self, store: ConfigStore) -> None:
         super().__init__('join_auths', store)
 
+    def filter_object(self, obj: Simplified) -> Simplified:
+        """Filter join auth data for sqlite3 store."""
+        filtered = copy.deepcopy(obj)
+        if 'auth' in filtered:
+            filtered['auth'].pop('password', None)
+        return filtered
+
 
 class MirrorUsersAndGroups(Mirror):
     """Mirroring configuration for objects in the users_and_groups namespace."""
 
     def __init__(self, store: ConfigStore) -> None:
         super().__init__('users_and_groups', store)
 
+    def filter_object(self, obj: Simplified) -> Simplified:
+        """Filter join users and groups data for sqlite3 store."""
+        filtered = copy.deepcopy(obj)
+        for user in filtered.get('values', {}).get('users', []):
+            # retain the key, to have the capability of knowing it was part of
+            # this row, but remove the value from this object
+            if 'password' in user:
+                user['password'] = ''
+        return filtered
+
 
 def _tables(
     *,