commit dc0dad97737dcd0dadd1a56eb094cd76207229f0
Author: Devananda van der Veen <email address hidden>
Date: Tue Jun 7 17:22:20 2016 -0700
Mask instance secrets in API responses
This change adds a new policy setting, "show_instance_secrets", whose
behavior mirrors that of the existing "show_passwords" policy setting.
Whereas "show_passwords" has historically blocked all sensitive
information from the node's driver_info field, the new setting blocks
all sensitive information from the node's instance_info field, including
image_url.
The name of the old setting, "show_passwords", is not being changed at
this time because such a change is not backwards-compatible. Instead,
the documentation string for this setting has been changed to clarify
what it does. Note that the behavior has not actually changed.
Note that this change moves the policy.check("show_password") call from
the Pecan hook into the API's Nodes() class, where the
policy.check("show_instance_secrets") is also added. This makes the code
a little cleaner and more maintainable, especially if we want to add any
more checks like this in the future.
As a result of this cleanup, the ironic-specific
RequestContext.show_password property is removed.
Reviewed: https:/ /review. openstack. org/326768 /git.openstack. org/cgit/ openstack/ ironic/ commit/ ?id=dc0dad97737 dcd0dadd1a56eb0 94cd76207229f0
Committed: https:/
Submitter: Jenkins
Branch: master
commit dc0dad97737dcd0 dadd1a56eb094cd 76207229f0
Author: Devananda van der Veen <email address hidden>
Date: Tue Jun 7 17:22:20 2016 -0700
Mask instance secrets in API responses
This change adds a new policy setting, "show_instance_ secrets" , whose
behavior mirrors that of the existing "show_passwords" policy setting.
Whereas "show_passwords" has historically blocked all sensitive
information from the node's driver_info field, the new setting blocks
all sensitive information from the node's instance_info field, including
image_url.
The name of the old setting, "show_passwords", is not being changed at compatible. Instead,
this time because such a change is not backwards-
the documentation string for this setting has been changed to clarify
what it does. Note that the behavior has not actually changed.
Note that this change moves the policy. check(" show_password" ) call from check(" show_instance_ secrets" ) is also added. This makes the code
the Pecan hook into the API's Nodes() class, where the
policy.
a little cleaner and more maintainable, especially if we want to add any
more checks like this in the future.
As a result of this cleanup, the ironic-specific ext.show_ password property is removed.
RequestCont
Partial-bug: #1530972
Partial-bug: #1526752
Related-bug: #1613903
Change-Id: I48493c53971cda b3b9122897e5132 2e19ce2f600