[Openstack-security] [Bug 1406191] Re: node-show discloses credentials as plain text in driver_info
Malini Bhandaru
malini.k.bhandaru at intel.com
Wed Jan 28 07:33:53 UTC 2015
Humm .. cannot save the password in the DB in some hashed form because
we need it for logging into driver. May also want it to display it just
in case someone set it up all wrong. How is this handled in other
projects .. example Cinder drivers.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1406191
Title:
node-show discloses credentials as plain text in driver_info
Status in OpenStack Bare Metal Provisioning Service (Ironic):
In Progress
Bug description:
[root at rhel7-vm ~]# ironic node-show b0860248-bf1d-4803-bdc3-5bb42852841c
+------------------------+--------------------------------------------------------------------------+
| Property | Value |
+------------------------+--------------------------------------------------------------------------+
| instance_uuid | bdaf5cc9-de8f-407e-890a-d4b6c1e3e602 |
| target_power_state | None |
| properties | {u'memory_mb': u'1024', u'cpu_arch': u'x86_64', u'local_gb': u'10', |
| | u'cpus': u'1'} |
| maintenance | False |
| driver_info | {u'pxe_deploy_ramdisk': u'503e88d9-637c-4369-b8e0-2b2531c0eeb2', |
| | u'ipmi_terminal_port': u'1234', u'ipmi_username': u'username', |
| | u'ipmi_address': u'9.9.9.9', u'ipmi_password': u'password', |
| | u'pxe_deploy_kernel': u'1e676e34-1294-4a17-afba-cd5c358cd314'} |
| extra | {} |
| last_error | None |
| created_at | 2014-12-19T07:13:50+00:00 |
| target_provision_state | deploy complete |
| driver | pxe_ipmitool |
| updated_at | 2014-12-29T04:52:29+00:00 |
| instance_info | {u'ramdisk': u'b30a4441-b975-432d-8878-573de2aba297', u'kernel': u |
| | '490b7edd-dfe9-4842-80ed-033c788b37d1', u'root_gb': u'10', |
| | u'image_source': u'8d860e96-61f9-4070-8b09-4c8037c104c7', u'deploy_key': |
| | u'2AX7KT8DXGU395SOA06J676YAC7AVA60', u'swap_mb': u'0'} |
| chassis_uuid | |
| provision_state | wait call-back |
| reservation | None |
| power_state | power on |
| console_enabled | False |
| uuid | b0860248-bf1d-4803-bdc3-5bb42852841c |
+------------------------+--------------------------------------------------------------------------+
[root at rhel7-vm ~]#
Log file will not show the password - 'ipmi_password': '<SANITIZED>'
So can we hide the password in ironic client side?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ironic/+bug/1406191/+subscriptions
More information about the Openstack-security
mailing list