OpenStack Heat

encrypted_param_names should be internal only data

Bug #1590507 reported by Steven Hardy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Heat
Fix Released
Medium
Steven Hardy
OpenStack Heat newton-2 "n2"

Bug Description

Currently we store encrypted_param_names inside the environment.Environment object, and we also return it as part of user_env_as_dict, which means it's returned e.g via openstack stack environment show (current heatclient filters it, but it's there in the API response).

Also, it means we pass it from parent to nested stacks (which is wrong, because it's derived from the parent parameters tagged as hidden), and any remote stacks.

Instead we should only store it and access it internally - anything which is passed to/via a user-facing (or RPC) API should only use the user-allowed environment keys.

Long term we may want to consider storing it somewhere else, but for now we just need to decouple "user_env" from the entire env as stored in the DB.

Steven Hardy (shardy)
Changed in heat:
assignee: nobody → Steven Hardy (shardy)
status: New → Triaged
milestone: none → newton-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/327275

Changed in heat:
status: Triaged → In Progress
Zane Bitter (zaneb)
Changed in heat:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to heat (master)

Reviewed: https://review.openstack.org/327275
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=b47c00255611986b7b347d8e630a7fc9cd1213c0
Submitter: Jenkins
Branch: master

commit b47c00255611986b7b347d8e630a7fc9cd1213c0
Author: Steven Hardy <email address hidden>
Date: Wed Jun 8 19:15:51 2016 +0100

    Keep encrypted_param_names environment internal to heat

    Currently this is reflected in the user_env_as_dict output, which means
    not only is it stored in the DB (which we want), but also passed around
    to nested stack (which we don't want because it's derived from the parent
    stack hidden parameters), and also to the user via stack environment show
    (the API returns it but heatclient currently hides it), which we also don't
    want because it's not a valid key in user-provided environments.

    Change-Id: If5821ccb4a8bbf98012a2541ddd3c8e91455e5cc
    Closes-Bug: #1590507

Changed in heat:
status: In Progress → Fix Released
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/heat 7.0.0.0b2

This issue was fixed in the openstack/heat 7.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.