Heat stack 'hidden' and heat.conf 'encrypt_parameters_and_properties' settings are not honored
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Cloud Archive |
Fix Released
|
Undecided
|
Unassigned | ||
Yoga |
Fix Released
|
Undecided
|
Unassigned | ||
Zed |
Fix Released
|
Undecided
|
Unassigned | ||
heat (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Jammy |
Fix Released
|
High
|
Unassigned | ||
Kinetic |
Fix Released
|
High
|
Unassigned | ||
Lunar |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
This is a potential security vulnerability. The upstream story has been marked as 'Vulnerability or Security-related' and is awaiting security triage: https:/
[Test Case]
After a stack is created using:
openstack stack create --parameter password=test123 -t simple_
where 'simple_
parameter as below:
password:
type: string
hidden: true
description: The password
'hidden' is honored when you run:
openstack stack show my_simple_stack | grep password
| | password: '******'
but that's not the case for the below command as the API returns the
'hidden' parameter in plain text:
openstack stack environment show my_simple_stack3 | grep password
password: test123
This behavior is observed in Focal/Ussuri and Jammy/Yoga and happens
regardless of the user role used. Namely two users with either reader
or member (admin role as well but this may be by design) face the same
issue. For example, if user1 created the stack, both user1 and user2
(a user with either reader or admin role assigned) face the same issue
described above.
Also it doesn't matter if heat.conf contains
'encrypt_
regardles of the value for this parameter.
Reproducer:
-----------
1. Create a simple stack where a 'hidden' parameter is used
2. Run 'openstack stack show <stack-id>', the hidden parameter will
appear masked.
3. Run 'openstack stack environment show <stack-id>' the hidden
parameter will appear in plain text.
4. Add 'encrypt_
restart the heat services
5. Repeat steps 1-3, issue should be reproduced
6. Set option in step 4 as 'false' and repeat steps 1-3, issue should
be reproduced
[Regression Potential]
This changes the behavior of the API. If software depends on a hidden parameter being returned, the code will need to update the parameter to not be hidden.
Changed in heat (Ubuntu Jammy): | |
status: | New → Triaged |
Changed in heat (Ubuntu Kinetic): | |
status: | New → Triaged |
Changed in heat (Ubuntu Lunar): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in heat (Ubuntu Kinetic): | |
importance: | Undecided → High |
Changed in heat (Ubuntu Jammy): | |
importance: | Undecided → High |
Changed in heat (Ubuntu Lunar): | |
status: | Triaged → Fix Released |
Patches: https:/ /review. opendev. org/q/Ifc51ff6a 4deab05002ccded 59383416f9a586a a0