Ironic

  1. Bug #1526752
  2. Comment #10

Comment 10 for bug 1526752

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic (master)

Reviewed: https://review.openstack.org/326768
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=dc0dad97737dcd0dadd1a56eb094cd76207229f0
Submitter: Jenkins
Branch: master

commit dc0dad97737dcd0dadd1a56eb094cd76207229f0
Author: Devananda van der Veen <email address hidden>
Date: Tue Jun 7 17:22:20 2016 -0700

    Mask instance secrets in API responses

    This change adds a new policy setting, "show_instance_secrets", whose
    behavior mirrors that of the existing "show_passwords" policy setting.

    Whereas "show_passwords" has historically blocked all sensitive
    information from the node's driver_info field, the new setting blocks
    all sensitive information from the node's instance_info field, including
    image_url.

    The name of the old setting, "show_passwords", is not being changed at
    this time because such a change is not backwards-compatible. Instead,
    the documentation string for this setting has been changed to clarify
    what it does. Note that the behavior has not actually changed.

    Note that this change moves the policy.check("show_password") call from
    the Pecan hook into the API's Nodes() class, where the
    policy.check("show_instance_secrets") is also added. This makes the code
    a little cleaner and more maintainable, especially if we want to add any
    more checks like this in the future.

    As a result of this cleanup, the ironic-specific
    RequestContext.show_password property is removed.

    Partial-bug: #1530972
    Partial-bug: #1526752
    Related-bug: #1613903

    Change-Id: I48493c53971cdab3b9122897e51322e19ce2f600