configdrive contents should be obfuscated via policy setting, just like passwords
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ironic |
Fix Released
|
Low
|
aeva black |
Bug Description
When deploying an instance with a configdrive, it is possible to reference a configdrive stored in Swift or to upload the binary contents of the configdrive to Ironic. In the latter case, the base64-encoded contents of the configdrive are returned with every API request for the Node resource, as they are part of node['instance_
This is problematic for a few reasons:
- configdrives often contain sensitive data, and should be treated like a password (eg, not written to log files)
- API responses are logged by some clients, or when debug mode is enabled
- configdrive contents can be large, and this bloats the API response unnecessarily
Therefore, we should default to obfuscating the configdrive contents, regardless of whether it is a URL or a BLOB, for safety and performance, while allowing users with the appropriate (higher) access rights to still see the full contents.
Tempest also logs the API response, and this is leading to massive bloat of dsvm test logs because the configdrive contents get written hundreds of times to these log files.
We will also need a change in python-
Changed in ironic: | |
importance: | Undecided → Low |
status: | New → Triaged |
Changed in ironic: | |
assignee: | nobody → Devananda van der Veen (devananda) |
Changed in ironic: | |
status: | Triaged → In Progress |
Changed in ironic: | |
status: | In Progress → Fix Committed |
Changed in ironic: | |
status: | Fix Committed → Fix Released |
Reviewed: https:/ /review. openstack. org/326768 /git.openstack. org/cgit/ openstack/ ironic/ commit/ ?id=dc0dad97737 dcd0dadd1a56eb0 94cd76207229f0
Committed: https:/
Submitter: Jenkins
Branch: master
commit dc0dad97737dcd0 dadd1a56eb094cd 76207229f0
Author: Devananda van der Veen <email address hidden>
Date: Tue Jun 7 17:22:20 2016 -0700
Mask instance secrets in API responses
This change adds a new policy setting, "show_instance_ secrets" , whose
behavior mirrors that of the existing "show_passwords" policy setting.
Whereas "show_passwords" has historically blocked all sensitive
information from the node's driver_info field, the new setting blocks
all sensitive information from the node's instance_info field, including
image_url.
The name of the old setting, "show_passwords", is not being changed at compatible. Instead,
this time because such a change is not backwards-
the documentation string for this setting has been changed to clarify
what it does. Note that the behavior has not actually changed.
Note that this change moves the policy. check(" show_password" ) call from check(" show_instance_ secrets" ) is also added. This makes the code
the Pecan hook into the API's Nodes() class, where the
policy.
a little cleaner and more maintainable, especially if we want to add any
more checks like this in the future.
As a result of this cleanup, the ironic-specific ext.show_ password property is removed.
RequestCont
Partial-bug: #1530972
Partial-bug: #1526752
Related-bug: #1613903
Change-Id: I48493c53971cda b3b9122897e5132 2e19ce2f600