Hard-coded passwords found in Puppet scripts

Bug #1785529 reported by Akond Rahman
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
New
Undecided
Unassigned

Bug Description

Detailed bug description:

I am a security researcher, who is looking for security smells in Puppet scripts.
I noticed instances of hard-coded passwords, which are against the best practices
recommended by Common Weakness Enumeration (CWE) [https://cwe.mitre.org/data/definitions/259.html] and also by other security practitioners.

Feedback is welcome.

I noticed hard-coded passwords in the following scripts:

fuel-library/deployment/puppet/fuel/examples/host.pp
fuel-library/deployment/puppet/fuel/manifests/params.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/ironic/ironic_compute.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/ironic/ironic.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/ironic/keystone.pp
fuel-library/deployment/puppet/openstack/manifests/cinder.pp
fuel-library/deployment/puppet/openstack/manifests/network/neutron_agents.pp
fuel-library/deployment/puppet/openstack/tests/all.pp
fuel-library/deployment/puppet/osnailyfacter/manifests/ssh.pp
fuel-plugin-ci/puppet-manifests/modules/fuel_project/manifests/common.pp
fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/cisco_aci/manifests/gbp_and_apic_gbp.pp
fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/cisco_aci/manifests/generic_apic_ml2.pp
fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/neutron/manifests/config_apic.pp
fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/neutron/manifests/config_auth.pp
fuel-plugin-elasticsearch-kibana/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/kibana_authentication.pp
fuel-plugin-elasticsearch-kibana/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/params.pp
fuel-plugin-external-zabbix/deployment_scripts/puppet/modules/plugin_zabbix/manifests/db/mysql.pp
fuel-plugin-ironic/deployment_scripts/puppet/manifests/ironic-compute.pp
fuel-plugin-lma-infrastructure-alerting/deployment_scripts/puppet/modules/nagios/manifests/cgi.pp
fuel-plugin-lma-infrastructure-alerting/deployment_scripts/puppet/modules/nagios/manifests/params.pp
fuel-plugin-scaleio/deployment_scripts/puppet/manifests/cinder.pp

Impact:
Hard-coded passwords in source code files is a bad practice

Revision history for this message
Adam Heczko (aheczko-mirantis) wrote :

Hi Akond,
I appreciate your research.
Fuel library is no longer maintained project and was deprecated in 2017. As deprecated project is is unlikely that Fuel library receive any further updates from the OpenStack community.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.