Adding validation and error message for safely rejecting keystone passwords with single and double quotation marks
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Low
|
Tae Park |
Bug Description
Brief Description
Ansible bootstrap fails to handle passwords that contains quotation marks such as single or double quotes for keystone's user password.
Keystone requires that user password must be at least seven characters long and contains, at least:
one lower-case character
one upper-case character
one numeric character
one special character
The password regex rule present on /etc/keystone/
According to Keystone password requirements, passwords with values similar to L!n69ux'" or M@n0"'el or St@rlinx'2" are accepted. If one of those password containing one occurrence of a single or a double quotes and 'dcmanager subcloud add --bootstrap-address ${subcloud_
The first role to fail is the store-passwd, as the double quotes characters are required to be string escaped, the python scripts on the tasks named as "Validate admin password" and "Store admin password" exited with errors when tries to store the password string value. These tasks can be fixed as it is suggested in the system outputs reported by this comment.
When the ansible bootstrap is issued again, the task "Wait for service endpoints reconfiguration to complete" from persist-config role leads to another failure. This task requires that a file is present on a specific directory so it can be marked as passed. This file is expected to be created by puppet after the services endpoints are correctly reconfigured. This has a timeout around of 45 minutes. If the required file is manually created, the task is marked as passed and system bootstrap procedure continues. Then, the bootstrap fails when it reaches "Add loopback interface" from bringup-
Standalone systems are also vulnerable to this type of problem since it can be reproducible in a system bootstrap scenario. Comments section of CGTS-48790 has outputs that may help to understand this bug scenario.
Severity
Minor
Steps to Reproduce
In a running DC system with active enabled available status, change SystemController keystone password to a value similar to L!n34ux('" following the steps described at https:/
Bootstraps a system with admin_password similar to L!n34ux('" addressed at localhost.yml and observe bootstrap fails.
More information related to this at CGTS-48790.
Expected Behavior
Ansible bootstrap should be completed successfully.
Actual Behavior
Ansible bootstrap fails handling keystone's user password.
Reproducibility
100% reproducible
System Configuration
Distributed Cloud
Load info (eg: 2022-03-
SW_VERSION="23.09"
BUILD_DATE=
BUILD_DIR=
Last Pass
N/A
Timestamp/Logs
Please check the comments section of CGTS-48790.
Alarms
N/A
Test Activity
Developer Testing
Workaround
Workaround is to use a password that doesn't use quotation marks.
Changed in starlingx: | |
status: | New → In Progress |
Changed in starlingx: | |
assignee: | nobody → Tae Park (tparkwr) |
Changed in starlingx: | |
importance: | Undecided → Low |
tags: | added: stx.9.0 stx.config stx.security |
Reviewed: https:/ /review. opendev. org/c/starlingx /ansible- playbooks/ +/895206 /opendev. org/starlingx/ ansible- playbooks/ commit/ 049b9863047892c d67e5fdb93d98eb b2b3d0773c
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 049b9863047892c d67e5fdb93d98eb b2b3d0773c
Author: Tae Park <email address hidden>
Date: Thu Sep 14 14:21:07 2023 -0400
Extra condition added to password validation
The presence of quotation marks (single or double) causes issues with
certain commands run within the bootstrap. As such, adding extra
validation during "Validate admin password" task in bootstrap so that
allowed password patterns that include single quotes and double qoutes
are rejected. Error message for the task also indicates as such. In
particular, this aims to stop issues caused by syntax issues created
from passwords being handled in plaintext.
Test Plan:
PASS: admin passwords that include single or double quote characters
should be rejected in boostrap
PASS: error message for "Fail if provided admin password does not meet
required complexity" task should indicate those characters are not
allowed.
PASS: passwords without any quotation marks, and passing all other
existing rules should pass the bootstrap without any issues
Partial-bug: 2035982
Change-Id: I59435417172f66 1799dce37fee024 89bb2229351
Signed-off-by: Tae Park <email address hidden>