OpenStack-Ansible

openstack-ansible-security task fails if user has no shadow data

Bug #1659232 reported by Ingemar Fällman
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Low
Major Hayden

Bug Description

My management nodes are part of a Kerberos realm so when the user data for these users are fetched (get_users) the shadow information is undefined.

This will cause the RHEL-07-010230 task to fail on https://github.com/openstack/openstack-ansible-security/blob/master/tasks/rhel7stig/auth.yml#L151 since since user['shadow']['max_days'] is undefined.

My workaround is to skip the RHEL-07-010230 tag

openstack-ansible setup-hosts.yml --skip-tags RHEL-07-010230

Revision history for this message
Major Hayden (rackerhacker) wrote :

Thanks for the bug, Ingemar! I forgot to consider that situation.

Changed in openstack-ansible:
assignee: nobody → Major Hayden (rackerhacker)
status: New → Confirmed
importance: Undecided → Low
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-hardening (master)

Fix proposed to branch: master
Review: https://review.openstack.org/481220

Changed in openstack-ansible:
status: Confirmed → In Progress
Revision history for this message
Major Hayden (rackerhacker) wrote :

Sorry for the long delay in getting this fixed, Ingemar. Does this patch work for you?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-hardening (master)

Reviewed: https://review.openstack.org/481220
Committed: https://git.openstack.org/cgit/openstack/ansible-hardening/commit/?id=d031846d3485a41689eb0493873306b424dbdae4
Submitter: Jenkins
Branch: master

commit d031846d3485a41689eb0493873306b424dbdae4
Author: Major Hayden <email address hidden>
Date: Thu Jul 6 15:11:58 2017 -0500

    Skip shadow checks for users w/o shadow data

    Users that are attached to a Kerberos realm do not have shadow data
    on the system. This breaks two accounts-related tasks.

    This patch cause Ansible to skip over any users that do not have
    shadow data on the system. Without this patch, the playbook fails
    with an error.

    Closes-Bug: 1659232
    Change-Id: Ibbd275681e65ba7ccfc4477caa499247ed052649

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ansible-hardening 16.0.0.0rc2

This issue was fixed in the openstack/ansible-hardening 16.0.0.0rc2 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ansible-hardening 17.0.0.0b1

This issue was fixed in the openstack/ansible-hardening 17.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.