OpenStack-Ansible

Default password hardcoded in AIO scripts

Bug #1462000 reported by Christopher H. Laco
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Low
Andy McCrae
Kilo
Fix Released
Low
Darren Birkett
OpenStack-Ansible 11.1.0
Trunk
Fix Released
Low
Andy McCrae

Bug Description

The default password in the AIO gating script and heat template are hardcoded.

https://github.com/stackforge/os-ansible-deployment/blob/kilo/scripts/bootstrap-aio.sh#L22
https://github.com/stackforge/os-ansible-deployment/blob/master/scripts/osad-aio-heat-template.yml#L59

From a security standpoint, we shouldn't have any default passwords in the source for the same reasons we remove all of the default example passwords from the user_secrets.yml file.

The preferred behavior would be to generate a random password each time.

Kevin Carter (kevin-carter)
Changed in openstack-ansible:
status: New → Confirmed
importance: Undecided → Low
Andy McCrae (andrew-mccrae)
Changed in openstack-ansible:
assignee: nobody → Andy McCrae (andrew-mccrae)
OpenStack Infra (hudson-openstack)
Changed in openstack-ansible:
status: Confirmed → In Progress
Revision history for this message
Darren Birkett (darren-birkett) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/190266

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-ansible-deployment (master)

Reviewed: https://review.openstack.org/190266
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=888f0ec87adec9ff7b633755e30015b2e813e95c
Submitter: Jenkins
Branch: master

commit 888f0ec87adec9ff7b633755e30015b2e813e95c
Author: Andy McCrae <email address hidden>
Date: Wed Jun 10 18:05:33 2015 +0100

    Set default pass in aio scripts to be random

    In the bootstrap-aio.sh and osad-aio-heat-template.yml we use a default
    password of "secrete". As a minor security concern, this patch adjusts
    this to be random.

    Change-Id: I54b9a085aba7845b7a9ad435c60604359921fc09
    Closes-Bug: #1462000

Changed in openstack-ansible:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to os-ansible-deployment (kilo)

Fix proposed to branch: kilo
Review: https://review.openstack.org/192162

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-ansible-deployment (kilo)

Reviewed: https://review.openstack.org/192162
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=82398488731829f0f6ee1d38be458f205ff008fb
Submitter: Jenkins
Branch: kilo

commit 82398488731829f0f6ee1d38be458f205ff008fb
Author: Andy McCrae <email address hidden>
Date: Wed Jun 10 18:05:33 2015 +0100

    Set default pass in aio scripts to be random

    In the bootstrap-aio.sh and osad-aio-heat-template.yml we use a default
    password of "secrete". As a minor security concern, this patch adjusts
    this to be random.

    Change-Id: I54b9a085aba7845b7a9ad435c60604359921fc09
    Closes-Bug: #1462000
    (cherry picked from commit 888f0ec87adec9ff7b633755e30015b2e813e95c)

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote : Fix included in openstack/openstack-ansible 11.2.11

This issue was fixed in the openstack/openstack-ansible 11.2.11 release.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/openstack-ansible 11.2.12

This issue was fixed in the openstack/openstack-ansible 11.2.12 release.

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote : Fix included in openstack/openstack-ansible 11.2.14

This issue was fixed in the openstack/openstack-ansible 11.2.14 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.