[Openstack-security] [Bug 1406191] Re: node-show discloses credentials as plain text in driver_info
Zhenzan Zhou
zhenzan.zhou at intel.com
Wed Jan 28 02:09:06 UTC 2015
Current enforced policy already make sure only users with admin role
can get node detail info, i.e. able to run "node-show". If we just hide
the plain text in output, people can still use '--debug' option to get
the plain text from the original response from ironic-api server. It's
easy to just hide it in api server side, but if we still want to see the
plain text in some cases, we'll have to change the API. So a compromised
solution would be adding a new config option in ironic.conf to control
if sensitive credentials should be hidden in api response.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1406191
Title:
node-show discloses credentials as plain text in driver_info
Status in OpenStack Bare Metal Provisioning Service (Ironic):
Confirmed
Bug description:
[root at rhel7-vm ~]# ironic node-show b0860248-bf1d-4803-bdc3-5bb42852841c
+------------------------+--------------------------------------------------------------------------+
| Property | Value |
+------------------------+--------------------------------------------------------------------------+
| instance_uuid | bdaf5cc9-de8f-407e-890a-d4b6c1e3e602 |
| target_power_state | None |
| properties | {u'memory_mb': u'1024', u'cpu_arch': u'x86_64', u'local_gb': u'10', |
| | u'cpus': u'1'} |
| maintenance | False |
| driver_info | {u'pxe_deploy_ramdisk': u'503e88d9-637c-4369-b8e0-2b2531c0eeb2', |
| | u'ipmi_terminal_port': u'1234', u'ipmi_username': u'username', |
| | u'ipmi_address': u'9.9.9.9', u'ipmi_password': u'password', |
| | u'pxe_deploy_kernel': u'1e676e34-1294-4a17-afba-cd5c358cd314'} |
| extra | {} |
| last_error | None |
| created_at | 2014-12-19T07:13:50+00:00 |
| target_provision_state | deploy complete |
| driver | pxe_ipmitool |
| updated_at | 2014-12-29T04:52:29+00:00 |
| instance_info | {u'ramdisk': u'b30a4441-b975-432d-8878-573de2aba297', u'kernel': u |
| | '490b7edd-dfe9-4842-80ed-033c788b37d1', u'root_gb': u'10', |
| | u'image_source': u'8d860e96-61f9-4070-8b09-4c8037c104c7', u'deploy_key': |
| | u'2AX7KT8DXGU395SOA06J676YAC7AVA60', u'swap_mb': u'0'} |
| chassis_uuid | |
| provision_state | wait call-back |
| reservation | None |
| power_state | power on |
| console_enabled | False |
| uuid | b0860248-bf1d-4803-bdc3-5bb42852841c |
+------------------------+--------------------------------------------------------------------------+
[root at rhel7-vm ~]#
Log file will not show the password - 'ipmi_password': '<SANITIZED>'
So can we hide the password in ironic client side?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ironic/+bug/1406191/+subscriptions
More information about the Openstack-security
mailing list