galera_server: Reveals galera passwords in task: "Create galera users"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Critical
|
Jean-Philippe Evrard |
Bug Description
openstack-
2018-03-30 17:17:50,119 p=5543 u=cloudadmin | TASK [galera_server : Create galera users] *******
2018-03-30 17:17:50,120 p=5543 u=cloudadmin | Friday 30 March 2018 17:17:50 +0000 (0:00:00.055) 0:01:59.664 **********
2018-03-30 17:17:50,615 p=5543 u=cloudadmin | ok: [controller-1] => (item={u'state': u'present', u'password': u'6788672857c0e
2018-03-30 17:17:50,958 p=5543 u=cloudadmin | ok: [controller-1] => (item={u'state': u'absent', u'password': u'6788672857c0e
2018-03-30 17:17:51,326 p=5543 u=cloudadmin | changed: [controller-1] => (item={u'state': u'present', u'password': u'', u'host': u'%', u'name': u'monitoring', u'priv': u'*.*:USAGE'})
2018-03-30 17:17:51,602 p=5543 u=cloudadmin | changed: [controller-1] => (item={u'state': u'present', u'password': u'', u'host': u'192.168.1.24', u'name': u'monitoring', u'priv': u'*.*:USAGE'})
This can be fixed by adding below lines to the task in galera_setup.yml:
loop_control:
label: "{{item.name, item.host}}"
Please assign this ticket to me, if you think it is a valid bug.
Changed in openstack-ansible: | |
status: | New → Confirmed |
importance: | Undecided → Critical |
assignee: | nobody → Jean-Philippe Evrard (jean-philippe-evrard) |
Changed in openstack-ansible: | |
status: | Confirmed → In Progress |
Reviewed: https:/ /review. openstack. org/560405 /git.openstack. org/cgit/ openstack/ openstack- ansible- tests/commit/ ?id=c00ecb858d2 38fbba26d647507 40f94f5411bd06
Committed: https:/
Submitter: Zuul
Branch: master
commit c00ecb858d238fb ba26d64750740f9 4f5411bd06
Author: Jean-Philippe Evrard <email address hidden>
Date: Wed Apr 11 15:00:16 2018 +0200
Add a rule to prevent passwords to be logged
Lint rule to make sure no module argument looking like "password"
will get logged.
Change-Id: I180b77faf7aaab 57d1c48fc993e43 f08c4fb16f6
Closes-Bug: #1760878