node-show discloses credentials as plain text in driver_info
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ironic |
Fix Released
|
Medium
|
aeva black |
Bug Description
[root@rhel7-vm ~]# ironic node-show b0860248-
+------
| Property | Value |
+------
| instance_uuid | bdaf5cc9-
| target_power_state | None |
| properties | {u'memory_mb': u'1024', u'cpu_arch': u'x86_64', u'local_gb': u'10', |
| | u'cpus': u'1'} |
| maintenance | False |
| driver_info | {u'pxe_
| | u'ipmi_
| | u'ipmi_address': u'9.9.9.9', u'ipmi_password': u'password', |
| | u'pxe_deploy_
| extra | {} |
| last_error | None |
| created_at | 2014-12-
| target_
| driver | pxe_ipmitool |
| updated_at | 2014-12-
| instance_info | {u'ramdisk': u'b30a4441-
| | '490b7edd-
| | u'image_source': u'8d860e96-
| | u'2AX7KT8DXGU39
| chassis_uuid | |
| provision_state | wait call-back |
| reservation | None |
| power_state | power on |
| console_enabled | False |
| uuid | b0860248-
+------
[root@rhel7-vm ~]#
Log file will not show the password - 'ipmi_password': '<SANITIZED>'
So can we hide the password in ironic client side?
summary: |
- ironic node-show show the plain text password + ironic node-show expose the ipmi password |
summary: |
- ironic node-show expose the ipmi password + security issue - ironic node-show expose the ipmi password |
Changed in ironic: | |
assignee: | nobody → Zhenzan Zhou (zhenzan-zhou) |
Changed in ironic: | |
milestone: | none → kilo-2 |
Changed in ironic: | |
assignee: | Zhenzan Zhou (zhenzan-zhou) → Devananda van der Veen (devananda) |
Changed in ironic: | |
status: | Fix Committed → Fix Released |
Changed in ironic: | |
milestone: | kilo-2 → 2015.1.0 |
This is a known problem and proper solution probably in implementing some kind of access policy showing/hiding credentials to certain users.