Fuel for OpenStack

[ldap][security] not encrypted ldap passwords in puppet log

Bug #1658655 reported by Ruslan Khozinov
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel Plugins
Fix Committed
Undecided
Nikita Karpin
Fuel Plugins 9.0
Fuel for OpenStack
Won't Fix
High
Nikita Karpin
Fuel for OpenStack 9.2
Mitaka
Fix Released
High
Nikita Karpin
Fuel for OpenStack 9.x-updates

Bug Description

ldap 3.3.0.0

http://mirror.fuel-infra.org/mos-plugins/centos/9.1/ldap-3.0-3.0.0-1.noarch.rpm

2017-01-20 10:44:20 +0000 /Stage[main]/Plugin_ldap::Controller/Plugin_ldap::Multiple_domain[domain=openldap2
    url=ldap://176.74.221.81
    suffix=dc=openldap2,dc=tld
    user=cn=admin,dc=openldap2,dc=tld
    password=1111
    query_scope=sub
    user_tree_dn=dc=openldap2,dc=tld
    user_objectclass=inetOrgPerson
    user_id_attribute=cn
    user_name_attribute=sn
    user_pass_attribute=userPassword
    user_enabled_attribute=enabled
    user_allow_create=False
    user_allow_update=False
    user_allow_delete=False
    user_filter=
    group_tree_dn=dc=openldap2,dc=tld
    group_objectclass=groupOfNames
    group_id_attribute=cn
    group_name_attribute=cn
    group_desc_attribute=description
    group_member_attribute=member
    group_allow_create=False
    group_allow_update=False
    group_allow_delete=False
    group_filter=
    ldap_proxy=false
    use_tls=False
    domain=AD2
    url=ldap://176.74.221.85
    user=cn=admin,cn=Users,dc=keystone2,dc=tld
    group_id_attribute=cn
    group_objectclass=group
    user_objectclass=person
    user_name_attribute=cn
    password=qwerty123!
    user_allow_delete=False
    group_allow_create=False
    user_tree_dn=dc=keystone2,dc=tld
    user_pass_attribute=userPassword
    user_enabled_attribute=enabled
    user_allow_create=False
    user_allow_update=False
    group_tree_dn=dc=keystone2,dc=tld
    group_desc_attribute=description
    user_filter=
    group_allow_update=False
    group_filter=
    suffix=dc=keystone2,dc=tld
    group_member_attribute=member
    group_allow_delete=False
    use_tls=False
    query_scope=sub
    group_name_attribute=cn
    user_id_attribute=cn
    ldap_proxy=false]/Plugin_ldap::Keystone[{"domain"=>"openldap2", " url"=>"ldap://176.74.221.85", " suffix"=>"dc=keystone2,dc=tld", " user"=>"cn=admin,cn=Users,dc=keystone2,dc=tld", " password"=>"qwerty123!", " query_scope"=>"sub", " user_tree_dn"=>"dc=keystone2,dc=tld", " user_objectclass"=>"person", " user_id_attribute"=>"cn", " user_name_attribute"=>"cn", " user_pass_attribute"=>"userPassword", " user_enabled_attribute"=>"enabled", " user_allow_create"=>"False", " user_allow_update"=>"False", " user_allow_delete"=>"False", " user_filter"=>"", " group_tree_dn"=>"dc=keystone2,dc=tld", " group_objectclass"=>"group", " group_id_attribute"=>"cn", " group_name_attribute"=>"cn", " group_desc_attribute"=>"description", " group_member_attribute"=>"member", " group_allow_create"=>"False", " group_allow_update"=>"False", " group_allow_delete"=>"False", " group_filter"=>"", " ldap_proxy"=>"false", " use_tls"=>"False", " domain"=>"AD2"}['domain']]/Keystone_config[openldap2/identity/driver]/ensure (notice): created
2017-01-20 10:44:20 +0000

See original description
Ruslan Khozinov (rkhozinov)
Changed in fuel:
milestone: none → 9.2
Changed in fuel-plugins:
milestone: none → 9.0
summary: - [ldap] not encrypted password in puppet log
+ [ldap] not encrypted ldap password in puppet log
summary: - [ldap] not encrypted ldap password in puppet log
+ [ldap] not encrypted ldap passwords in puppet log
summary: - [ldap] not encrypted ldap passwords in puppet log
+ [ldap][security] not encrypted ldap passwords in puppet log
Nikita Karpin (mkarpin)
description: updated
Nikita Karpin (mkarpin)
Changed in fuel-plugins:
assignee: nobody → Nikita Karpin (mkarpin)
Changed in fuel:
assignee: nobody → Nikita Karpin (mkarpin)
Vitaly Sedelnik (vsedelnik)
Changed in fuel:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-plugin-ldap (master)

Fix proposed to branch: master
Review: https://review.openstack.org/425801

Changed in fuel-plugins:
status: New → In Progress
Nikita Karpin (mkarpin)
Changed in fuel:
status: Confirmed → In Progress
Roman Vyalov (r0mikiam)
Changed in fuel:
status: In Progress → Won't Fix
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-plugin-ldap (master)

Reviewed: https://review.openstack.org/425801
Committed: https://git.openstack.org/cgit/openstack/fuel-plugin-ldap/commit/?id=7cf2e0f36ee174796f15d6e0cbcbfdaef55d4fe3
Submitter: Jenkins
Branch: master

commit 7cf2e0f36ee174796f15d6e0cbcbfdaef55d4fe3
Author: Mykyta Karpin <email address hidden>
Date: Thu Jan 26 19:27:27 2017 +0200

    Rewrite additional domains generation

    This patch makes use of Puppet native function
    create_resources() in order to generate
    Keystone domain resources from hash
    provided by parce_it() function.

    This approach required modification of parce_it()
    function so it can parse list of additional domains strings
    and generate a hash in form of:

    domain1_name => { property1 => value1,
                      property2 => value2,
                      .....
                      propertyx => valuex },
    domain2_name => { property1 => value1,
                      property2 => value2,
                      .....
                      propertyx => valuex },
    .....and so on

    This form of hash is suitable to be taken by create_resources()
    function. Puppet define plugin_ldap::multiple_domain
    was also modified to comply with create_resources()
    function.

    Change-Id: I14321af5efa18f1381a51668ed1c5c50c06a0002
    Closes-Bug: #1658655

Changed in fuel-plugins:
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.