Juniper Openstack

UI corrupting Physical router netconf credentials

Bug #1689740 reported by amit surana
26
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.2
Fix Committed
Medium
Biswajit Mandal
Juniper Openstack r3.2.4.0
R4.0
Fix Committed
Medium
Biswajit Mandal
Juniper Openstack r4.0.1.0 "r4.0.1.0"
Trunk
Fix Committed
Medium
Biswajit Mandal
Juniper Openstack r4.1.0.0-fcs "r4.1"

Bug Description

If after configuring the PR netconf credentials, if a VN property is changed (or new VN is extended), then DM fails to push the config due to auth failure. UI is reconfiguring the PR netconf password to string '**Password Hidden**'.

05/09/2017 11:46:23 PM [contrail-api]: ContrailConfigTrace: data = << name = h1droid elements = { bgp_router_refs : [{"to": ["default-domain", "default-project", "ip-fabric", "__default__", "h1droid"], "attr": null, "uuid": "1c6cb713-835b-4407-ae47-ca0b793c2765"}]display_name : "h1droid"fq_name : ["default-global-system-config", "h1droid"]id_perms : {"enable": true, "uuid": {"uuid_mslong": 14987081674064940689, "uuid_lslong": 9308201530556790044}, "created": "2017-05-09T10:21:43.872869", "description": null, "creator": null, "user_visible": true, "last_modified": "2017-05-10T06:46:23.865282", "permissions": {"owner": "admin", "owner_access": 7, "other_access": 7, "group": "KeystoneAdmin", "group_access": 7}}parent_type : "global-system-config"parent_uuid : "acce1c23-cdb0-4592-b882-3c8831e8b50a"perms2 : {"owner": "65e7197ffad44c73a5cdcdec83eb00cb", "owner_access": 7, "global_access": 0, "share": []}physical_interfaces : [{"to": ["default-global-system-config", "h1droid", "xe-3/3/3"], "uuid": "68d7d83d-49f9-4a1b-9997-d269bedc4a39"}]physical_router_dataplane_ip : ""physical_router_junos_service_ports : {"service_port": ["si-3/0/0"]}physical_router_loopback_ip : "172.16.86.200"physical_router_management_ip : "10.87.128.59"physical_router_product_name : "mx"physical_router_user_credentials : {"username": "root", "password": "**Password Hidden**"}physical_router_vendor_name : "juniper"physical_router_vnc_managed : trueuuid : "cffccf60-aa68-4e91-812d-5ff99e95b51c"virtual_network_refs : [{"to": ["default-domain", "admin", "dm-vn-4"], "attr": null, "uuid": "423791b1-f6f0-4070-83e8-6c76d6b13f05"}, {"to": ["default-domain", "symantecTenant10", "tenant10.test_id1.Private_SNAT_VN0"], "attr": null, "uuid": "8cc45d72-8154-4481-9259-0c32de25185e"}, {"to": ["default-domain", "admin", "dm-vn-2"], "attr": null, "uuid": "8d07b296-569e-4e1e-ae60-64609f7e7aae"}, {"to": ["default-domain", "symantecTenant10", "tenant10.test_id1.Private_LB_VIP_VN0"], "attr": null, "uuid": "ecbd4291-3fde-436e-8336-78016c0dc80d"}, {"to": ["default-domain", "symantecTenant10", "tenant10.test_id1.Private_LB_Pool_VN0"], "attr": null, "uuid": "85932f7b-52c2-44ef-b579-a0048a8fc1f7"}, {"to": ["default-domain", "symantecTenant10", "tenant10.test_id1.SNAT_GW_VN0"], "attr": null, "uuid": "9d4d6c11-181c-4d7d-9e99-ed16ff22ca50"}, {"to": ["default-domain", "symantecTenant10", "tenant10.test_id1.Public_FIP_VN0"], "attr": null, "uuid": "08aa106e-5bc7-440e-b30b-42ef8fcd1396"}, {"to": ["default-domain", "symantecTenant10", "tenant10.test_id1.Private_SNAT_VN1"], "attr": null, "uuid": "ebd4fe8b-bb88-44b5-ac53-683a1840daca"}, {"to": ["default-domain", "admin", "dm-vn-5"], "attr": null, "uuid": "a120f0de-843c-431e-9ffa-b1a1d96038c4"}, {"to": ["default-domain", "admin", "MGMT"], "attr": null, "uuid": "2b41d897-0d56-4551-a7ba-be4bd0e2e28c"}] } deleted = False >>

Jeba Paulaiyan (jebap)
tags: added: blocker
tags: removed: blocker
Revision history for this message
Rahul (rahuls) wrote :

Amit/Sachin this could be due to security fix in API server. Can you please let us know which all branches the security checkins went into.

Revision history for this message
Manoj (manojgn) wrote :

This issue seems to be happening only when we are using the Config Editor for editing the physical router. The regular ui page under Config -> Physical Devices-> Physical Routers page seems to be working fine.

Lowering the priority.

Rahul (rahuls)
tags: added: api config
Revision history for this message
Rahul (rahuls) wrote :

1. UI does physical-routers detail=true call. In such call initially original netconf password is displayed. This defeats the security fix.

2. If user does a HTTP get on the particular physical-router object, then netconf password is sent by API server as "**Hidden Password".

3. In multi node setup, with detail=true for physical-routers. The API server where particular get is done shows password as Hidden Password. But the API server on which particular get isn't done shown password as the one originally set by user.

4. UI does a diff before posting objects to API server, but due to inconsistent values returned by different API servers, this diff logic fails.

============================================================
A) DM can discard conf update for username/password if it sees "Hidden Password"
B) API server should be consistent in the value it sends to clients for netconf password.
     - With this the security flaw will be completely fixed
     - Any client dependent on API server for diff logic will not update "Hidden Password" on API server.
C) API server can discard field update for password if it is "Hidden Password". Same might occur with scripts too.
D) UI can try to discard netconf credentials set to API server if "Hidden Password" is being sent.

tags: added: blocker
Revision history for this message
Sachin Bansal (sbansal) wrote :

I will reopen bug 1659700 to suppress password in list API. This should take care of item B in comment #3.

Item A is not practical. DM cannot reject username/password because it might not know what was the original password.

Item C is not advisable because we don't want to hard code any special values to be ignored.

Item D may or may not be the right approach. In general, I would prefer that UI keeps track of items that have been modified by the user instead of calculating diffs. I will reassign this bug to UI team.

Revision history for this message
Rahul (rahuls) wrote :

If #3 is fixed in API server and all API server return same data. Then we will not see any issues.
That is the right fix, please use this bug to track the API server issue.

Also check password update handling between API server and DAM.

Rahul (rahuls)
summary: - UI corrupting Physical router netconf credentials
+ API Server:Inconsistent netconf output from API server might lead to UI
+ corrupting Physical router netconf credentials
Revision history for this message
kratna (kratna) wrote : Re: API Server:Inconsistent netconf output from API server might lead to UI corrupting Physical router netconf credentials

I need this bug to be fixed. Workaround is causing additional ambiguities in MX config.

kratna (kratna)
tags: added: visa
Revision history for this message
Sachin Bansal (sbansal) wrote :

The problem is still seen after API server changes. We need additional changes in UI as I explained in comment #4 above.

summary: - API Server:Inconsistent netconf output from API server might lead to UI
- corrupting Physical router netconf credentials
+ UI corrupting Physical router netconf credentials
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/33153
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/33229
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/33153
Committed: http://github.com/Juniper/contrail-web-controller/commit/27b874ccce9bcccf241e10255aa8100cded6dd57
Submitter: Zuul (<email address hidden>)
Branch: master

commit 27b874ccce9bcccf241e10255aa8100cded6dd57
Author: Biswajit Mandal <email address hidden>
Date: Fri Jun 23 17:48:29 2017 -0700

Closes-Bug: #1689740
Before doing a PUT on prouter config while adding bgp_router_refs,
do a config diff and push the delta config.

Change-Id: I027b98c645f1f9a63ad5890ff8399c4b2f0fdcf8

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/33229
Committed: http://github.com/Juniper/contrail-web-controller/commit/33ed9df254f8b57fd6f1e82b194e63d54c00fc7d
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit 33ed9df254f8b57fd6f1e82b194e63d54c00fc7d
Author: Biswajit Mandal <email address hidden>
Date: Fri Jun 23 17:48:29 2017 -0700

Closes-Bug: #1689740
Before doing a PUT on prouter config while adding bgp_router_refs,
do a config diff and push the delta config.

Change-Id: I027b98c645f1f9a63ad5890ff8399c4b2f0fdcf8

Jeba Paulaiyan (jebap)
no longer affects: juniperopenstack/r3.2.3.x
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/33609
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/33609
Committed: http://github.com/Juniper/contrail-web-controller/commit/58552f5e7b00ce9228eee40564fc7a0e9216ba51
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit 58552f5e7b00ce9228eee40564fc7a0e9216ba51
Author: Biswajit Mandal <email address hidden>
Date: Fri Jun 23 17:48:29 2017 -0700

Closes-Bug: #1689740
Before doing a PUT on prouter config while adding bgp_router_refs,
do a config diff and push the delta config.

Change-Id: I027b98c645f1f9a63ad5890ff8399c4b2f0fdcf8
(cherry picked from commit 33ed9df254f8b57fd6f1e82b194e63d54c00fc7d)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.