When getting node details, in most drivers the password/keys are masked to prevent them being displayed to the console and appearing in logs
When using the ssh power driver this isn't the case, on a development environment where virtual nodes are being used, the ssh private keys are logged in various places at various debug levels and when running "ironic node-show <uuid>" e.g.
Flagging this as a security vulnerability as a precaution, but I'd imagine it doesn't need to be kept private as it would only effect development environments and its already reported publicly here https://bugzilla.redhat.com/show_bug.cgi?id=1346089
When getting node details, in most drivers the password/keys are masked to prevent them being displayed to the console and appearing in logs
When using the ssh power driver this isn't the case, on a development environment where virtual nodes are being used, the ssh private keys are logged in various places at various debug levels and when running "ironic node-show <uuid>" e.g.
$ ironic --debug node-show baremetal-0 2> /tmp/t ------- ------- ----+-- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------+ ------- ------- ----+-- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------+ 02T14:31: 34+00:00 | 90d0-4471- bc00-363db8d770 5f', u'deploy_ramdisk': | d3a0-42f6- b95b-417a5417eb 2f', u'ssh_key_ contents' : u'----- | ....... ....... ....... ....... ....... ... | ....... ....... ....... ....... ....... ... | ....... ....... ....... ....... ....... ... | ....... ....... ....... ....... ....... ... | ....... ....... ....... ....... ....... ... | ....... ....... ....... ....... ....... ... | internal_ info | {} | finished_ at | None | started_ at | None | option: local'} | updated_ at | 2016-11- 02T14:32: 07+00:00 | provision_ state | None | 02T14:32: 07+00:00 | 51c4-4017- 8f63-6b0505a582 42 | ------- ------- ----+-- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------+
+------
| Property | Value |
+------
| chassis_uuid | |
| clean_step | {} |
| console_enabled | False |
| created_at | 2016-11-
| driver | pxe_ssh |
| driver_info | {u'ssh_username': u'root', u'deploy_kernel': |
| | u'b6e8a5e6-
| | u'2b280e67-
| | BEGIN RSA PRIVATE KEY----- |
| | .......
| | .......
| | .......
| | ..........Removed for bug report............. |
| | .......
| | .......
| | .......
| | -----END RSA PRIVATE KEY-----', u'ssh_virt_type': |
| | u'virsh', u'ssh_address': u'192.168.XX.XX'} |
| driver_
| extra | {} |
| inspection_
| inspection_
| instance_info | {} |
| instance_uuid | None |
| last_error | None |
| maintenance | False |
| maintenance_reason | None |
| name | baremetal-0 |
| network_interface | |
| power_state | power off |
| properties | {u'memory_mb': u'6144', u'cpu_arch': u'x86_64', u'local_gb': u'41', |
| | u'cpus': u'1', u'capabilities': u'boot_
| provision_state | available |
| provision_
| raid_config | |
| reservation | None |
| resource_class | |
| target_power_state | None |
| target_
| target_raid_config | |
| updated_at | 2016-11-
| uuid | 9a7b89d5-
+------
Flagging this as a security vulnerability as a precaution, but I'd imagine it doesn't need to be kept private as it would only effect development environments and its already reported publicly here /bugzilla. redhat. com/show_ bug.cgi? id=1346089
https:/