Power password is returned to UI

Bug #1938754 reported by Huw Wilkins
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
MAAS
Invalid
High
Unassigned

Bug Description

In the configuration tab for machine/kvm we display the power parameters which include the power password.

At the moment we mask the password in a password field, but really this is just a plain text password that can be easily seen.

Does the API need to return the password? If not maybe we should consider removing that from the response. In that case it would be good to return a flag for whether there is a password set so we can indicate that in the UI.

Tags: sts
Revision history for this message
Bill Wear (billwear) wrote :

Previously, with libvirt, we actually showed the power password if you edited the configuration. Now it seems to be masked. What I'm not clear on is whether we intended the password to be shown when editing a machine configuration, or whether it's just an oversight. Not sure this is a bug, it might be a feature change. Moving to incomplete, suggesting that Huw send an e-mail to Adam Collard to determine our original intent.

Changed in maas:
status: New → Incomplete
Revision history for this message
Huw Wilkins (huwshimi) wrote :

Thanks Bill, I spoke to Adam and he said "I agree that we don't need to send the current password to the UI. It's important to be able to set a new password of course, but no need to see the old one"

Changed in maas:
status: Incomplete → Confirmed
Changed in maas:
status: Confirmed → Triaged
importance: Undecided → High
milestone: none → next
Chuan Li (lccn)
tags: added: sts
Revision history for this message
Björn Tillenius (bjornt) wrote :

Agreed that we shouldn't return the password by default, but add another endpoint to get it. This way, the UI can display the password if the user explicitly asks for it.

One problem is that we don't know which parts of the power parameters are secret, though. When we add support for storing secrets in Vault, we'll have the same problem.

Marking this as Invalid since we'll do this when adding support for Vault.

Changed in maas:
status: Triaged → Invalid
milestone: next → none
Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

Is there a workaround for this? or something that can be added in the meantime while we wait for Vault integration?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.