Ironic

configdrive contents should be obfuscated via policy setting, just like passwords

Bug #1530972 reported by aeva black
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ironic
Fix Released
Low
aeva black

Bug Description

When deploying an instance with a configdrive, it is possible to reference a configdrive stored in Swift or to upload the binary contents of the configdrive to Ironic. In the latter case, the base64-encoded contents of the configdrive are returned with every API request for the Node resource, as they are part of node['instance_info'].

This is problematic for a few reasons:
- configdrives often contain sensitive data, and should be treated like a password (eg, not written to log files)
- API responses are logged by some clients, or when debug mode is enabled
- configdrive contents can be large, and this bloats the API response unnecessarily

For example:
http://logs.openstack.org/56/263256/1/check/gate-tempest-dsvm-ironic-pxe_ipa-src/b4bc64f/logs/screen-n-cpu.txt.gz#_2016-01-04_16_48_37_486

Therefore, we should default to obfuscating the configdrive contents, regardless of whether it is a URL or a BLOB, for safety and performance, while allowing users with the appropriate (higher) access rights to still see the full contents.

Tempest also logs the API response, and this is leading to massive bloat of dsvm test logs because the configdrive contents get written hundreds of times to these log files.

We will also need a change in python-ironicclient, so that when run in debug mode, the log of the POST which updates the configdrive does not print the actual contents. For example:

http://logs.openstack.org/56/263256/1/check/gate-tempest-dsvm-ironic-pxe_ipa-src/b4bc64f/logs/screen-n-cpu.txt.gz#_2016-01-04_16_48_32_653

aeva black (tenbrae)
Changed in ironic:
importance: Undecided → Low
status: New → Triaged
aeva black (tenbrae)
Changed in ironic:
assignee: nobody → Devananda van der Veen (devananda)
OpenStack Infra (hudson-openstack)
Changed in ironic:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic (master)

Reviewed: https://review.openstack.org/326768
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=dc0dad97737dcd0dadd1a56eb094cd76207229f0
Submitter: Jenkins
Branch: master

commit dc0dad97737dcd0dadd1a56eb094cd76207229f0
Author: Devananda van der Veen <email address hidden>
Date: Tue Jun 7 17:22:20 2016 -0700

    Mask instance secrets in API responses

    This change adds a new policy setting, "show_instance_secrets", whose
    behavior mirrors that of the existing "show_passwords" policy setting.

    Whereas "show_passwords" has historically blocked all sensitive
    information from the node's driver_info field, the new setting blocks
    all sensitive information from the node's instance_info field, including
    image_url.

    The name of the old setting, "show_passwords", is not being changed at
    this time because such a change is not backwards-compatible. Instead,
    the documentation string for this setting has been changed to clarify
    what it does. Note that the behavior has not actually changed.

    Note that this change moves the policy.check("show_password") call from
    the Pecan hook into the API's Nodes() class, where the
    policy.check("show_instance_secrets") is also added. This makes the code
    a little cleaner and more maintainable, especially if we want to add any
    more checks like this in the future.

    As a result of this cleanup, the ironic-specific
    RequestContext.show_password property is removed.

    Partial-bug: #1530972
    Partial-bug: #1526752
    Related-bug: #1613903

    Change-Id: I48493c53971cdab3b9122897e51322e19ce2f600

aeva black (tenbrae)
Changed in ironic:
status: In Progress → Fix Committed
Ruby Loo (rloo)
Changed in ironic:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.