Ironic

node-show discloses credentials as plain text in driver_info

Bug #1406191 reported by Haomeng,Wang on 2014-12-29

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ironic	Fix Released	Medium	aeva black	Ironic 2015.1.0 "kilo"

Bug Description

[root@rhel7-vm ~]# ironic node-show b0860248-bf1d-4803-bdc3-5bb42852841c
+------------------------+--------------------------------------------------------------------------+
| Property | Value |
+------------------------+--------------------------------------------------------------------------+
| instance_uuid | bdaf5cc9-de8f-407e-890a-d4b6c1e3e602 |
| target_power_state | None |
| properties | {u'memory_mb': u'1024', u'cpu_arch': u'x86_64', u'local_gb': u'10', |
| | u'cpus': u'1'} |
| maintenance | False |
| driver_info | {u'pxe_deploy_ramdisk': u'503e88d9-637c-4369-b8e0-2b2531c0eeb2', |
| | u'ipmi_terminal_port': u'1234', u'ipmi_username': u'username', |
| | u'ipmi_address': u'9.9.9.9', u'ipmi_password': u'password', |
| | u'pxe_deploy_kernel': u'1e676e34-1294-4a17-afba-cd5c358cd314'} |
| extra | {} |
| last_error | None |
| created_at | 2014-12-19T07:13:50+00:00 |
| target_provision_state | deploy complete |
| driver | pxe_ipmitool |
| updated_at | 2014-12-29T04:52:29+00:00 |
| instance_info | {u'ramdisk': u'b30a4441-b975-432d-8878-573de2aba297', u'kernel': u |
| | '490b7edd-dfe9-4842-80ed-033c788b37d1', u'root_gb': u'10', |
| | u'image_source': u'8d860e96-61f9-4070-8b09-4c8037c104c7', u'deploy_key': |
| | u'2AX7KT8DXGU395SOA06J676YAC7AVA60', u'swap_mb': u'0'} |
| chassis_uuid | |
| provision_state | wait call-back |
| reservation | None |
| power_state | power on |
| console_enabled | False |
| uuid | b0860248-bf1d-4803-bdc3-5bb42852841c |
+------------------------+--------------------------------------------------------------------------+
[root@rhel7-vm ~]#

Log file will not show the password - 'ipmi_password': '<SANITIZED>'

So can we hide the password in ironic client side?

Tags:

Haomeng,Wang (whaom) on 2014-12-29

summary:	- ironic node-show show the plain text password + ironic node-show expose the ipmi password
summary:	- ironic node-show expose the ipmi password + security issue - ironic node-show expose the ipmi password

Revision history for this message

Dmitry Tantsur (divius) wrote on 2015-01-07:

#1

This is a known problem and proper solution probably in implementing some kind of access policy showing/hiding credentials to certain users.

summary:	- security issue - ironic node-show expose the ipmi password + node-show discloses credentials as plain text in driver_info
Changed in ironic:
status:	New → Confirmed
importance:	Undecided → Medium
tags:	added: security

Zhenzan Zhou (zhenzan-zhou) on 2015-01-27

Changed in ironic:
assignee:	nobody → Zhenzan Zhou (zhenzan-zhou)

Revision history for this message

Zhenzan Zhou (zhenzan-zhou) wrote on 2015-01-28:

#2

Current enforced policy already make sure only users with admin role can get node detail info, i.e. able to run "node-show". If we just hide the plain text in output, people can still use '--debug' option to get the plain text from the original response from ironic-api server. It's easy to just hide it in api server side, but if we still want to see the plain text in some cases, we'll have to change the API. So a compromised solution would be adding a new config option in ironic.conf to control if sensitive credentials should be hidden in api response.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-28: Fix proposed to ironic (master)

#3

Fix proposed to branch: master
Review: https://review.openstack.org/150688

Changed in ironic:
status:	Confirmed → In Progress

aeva black (tenbrae) on 2015-01-28

Changed in ironic:
milestone:	none → kilo-2

Revision history for this message

Malini Bhandaru (malini-k-bhandaru) wrote on 2015-01-28:

#4

Humm .. cannot save the password in the DB in some hashed form because we need it for logging into driver. May also want it to display it just in case someone set it up all wrong. How is this handled in other projects .. example Cinder drivers.

OpenStack Infra (hudson-openstack) on 2015-02-05

Changed in ironic:
assignee:	Zhenzan Zhou (zhenzan-zhou) → Devananda van der Veen (devananda)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-05: Fix merged to ironic (master)

#5

Reviewed: https://review.openstack.org/150688
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=efb321c71a709a6f5b33d9de62587117f0c29ba3
Submitter: Jenkins
Branch: master

commit efb321c71a709a6f5b33d9de62587117f0c29ba3
Author: Zhenzan Zhou <email address hidden>
Date: Wed Jan 28 13:10:02 2015 +0800

Add policy show_password to mask passwords in driver_info

    Ironic API already enforces admin role to run node-show. So a new
    policy show_password is added to control if plain text passwords
    in driver_info should be masked or not before sending back to
    API calls. The default is masking password for all cases.

Change-Id: Icd3e6be049376bf7b4468f0c149a72a06643da32
Closes-Bug: #1406191

Changed in ironic:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-02-05

Changed in ironic:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in ironic:
milestone:	kilo-2 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.