[Openstack-security] [Bug 1406191] Re: node-show discloses credentials as plain text in driver_info
OpenStack Infra
1406191 at bugs.launchpad.net
Thu Feb 5 10:36:35 UTC 2015
Reviewed: https://review.openstack.org/150688
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=efb321c71a709a6f5b33d9de62587117f0c29ba3
Submitter: Jenkins
Branch: master
commit efb321c71a709a6f5b33d9de62587117f0c29ba3
Author: Zhenzan Zhou <zhenzan.zhou at intel.com>
Date: Wed Jan 28 13:10:02 2015 +0800
Add policy show_password to mask passwords in driver_info
Ironic API already enforces admin role to run node-show. So a new
policy show_password is added to control if plain text passwords
in driver_info should be masked or not before sending back to
API calls. The default is masking password for all cases.
Change-Id: Icd3e6be049376bf7b4468f0c149a72a06643da32
Closes-Bug: #1406191
** Changed in: ironic
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1406191
Title:
node-show discloses credentials as plain text in driver_info
Status in OpenStack Bare Metal Provisioning Service (Ironic):
Fix Committed
Bug description:
[root at rhel7-vm ~]# ironic node-show b0860248-bf1d-4803-bdc3-5bb42852841c
+------------------------+--------------------------------------------------------------------------+
| Property | Value |
+------------------------+--------------------------------------------------------------------------+
| instance_uuid | bdaf5cc9-de8f-407e-890a-d4b6c1e3e602 |
| target_power_state | None |
| properties | {u'memory_mb': u'1024', u'cpu_arch': u'x86_64', u'local_gb': u'10', |
| | u'cpus': u'1'} |
| maintenance | False |
| driver_info | {u'pxe_deploy_ramdisk': u'503e88d9-637c-4369-b8e0-2b2531c0eeb2', |
| | u'ipmi_terminal_port': u'1234', u'ipmi_username': u'username', |
| | u'ipmi_address': u'9.9.9.9', u'ipmi_password': u'password', |
| | u'pxe_deploy_kernel': u'1e676e34-1294-4a17-afba-cd5c358cd314'} |
| extra | {} |
| last_error | None |
| created_at | 2014-12-19T07:13:50+00:00 |
| target_provision_state | deploy complete |
| driver | pxe_ipmitool |
| updated_at | 2014-12-29T04:52:29+00:00 |
| instance_info | {u'ramdisk': u'b30a4441-b975-432d-8878-573de2aba297', u'kernel': u |
| | '490b7edd-dfe9-4842-80ed-033c788b37d1', u'root_gb': u'10', |
| | u'image_source': u'8d860e96-61f9-4070-8b09-4c8037c104c7', u'deploy_key': |
| | u'2AX7KT8DXGU395SOA06J676YAC7AVA60', u'swap_mb': u'0'} |
| chassis_uuid | |
| provision_state | wait call-back |
| reservation | None |
| power_state | power on |
| console_enabled | False |
| uuid | b0860248-bf1d-4803-bdc3-5bb42852841c |
+------------------------+--------------------------------------------------------------------------+
[root at rhel7-vm ~]#
Log file will not show the password - 'ipmi_password': '<SANITIZED>'
So can we hide the password in ironic client side?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ironic/+bug/1406191/+subscriptions
More information about the Openstack-security
mailing list