Sahara

Savanna should not send private keys to the cloud user

Bug #1260357 reported by Alexander Ignatov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Sahara
Fix Released
High
Alexander Ignatov
Sahara 2014.1 "icehouse"

Bug Description

Due unknown reasons (legacy code I think) Savanna sends private keys for cloud users (ubuntu, fedora, ec2-user) during cluster provisioning. For example now it can be seen in Heat templates generated by http://paste.openstack.org/show/54693/

Revision history for this message
Alexander Ignatov (aignatov) wrote :

We need just to send public keys only to VMs

Sergey Lukjanov (slukjanov)
Changed in savanna:
importance: Undecided → High
status: New → Triaged
assignee: nobody → Alexander Ignatov (aignatov)
milestone: none → icehouse-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to savanna (master)

Fix proposed to branch: master
Review: https://review.openstack.org/62200

Changed in savanna:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to savanna (master)

Reviewed: https://review.openstack.org/62200
Committed: https://git.openstack.org/cgit/openstack/savanna/commit/?id=29eba90566d4599172b3a569948b9613b2f3c6c0
Submitter: Jenkins
Branch: master

commit 29eba90566d4599172b3a569948b9613b2f3c6c0
Author: Alexander Ignatov <email address hidden>
Date: Sun Dec 15 00:39:29 2013 +0400

    Removed cloud user private key pushing to nodes

      Due to security considerations we should not send private key of cloud
      users to VMs. This is mostly needed for Heat provisioning logic, where
      heat templates must not have secret keys written in user-data section.
      With this change Heat templates will look like as follows:
      http://paste.openstack.org/show/55008/

      Savanna old provisioning engine is also cleared from pushing private keys
      to nodes.

      Changed behaviour of wait_until_accessible method. Now it checks
      ~/.ssh/authoriszed_keys instead of ~/.ssh/id_rsa

      (NOTE: don't worry about code duplication in both engines). The common
      part of provisioning code will be extracted soon as part of bug
      https://bugs.launchpad.net/savanna/+bug/1259170

    Change-Id: Ibe42cf6fc756ffc92bfc3fe520f4cecb732d858b
    Closes-Bug: #1260357

Changed in savanna:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in savanna:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in sahara:
milestone: icehouse-2 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.