OpenStack-Ansible

galera_server: Reveals galera passwords in task: "Create galera users"

Bug #1760878 reported by chandra shekar
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Critical
Jean-Philippe Evrard

Bug Description

openstack-ansible-galera_server task: "Create galera users" reveals passwords in its log. This can be a security breach. This is revealed due to the ansible with_items loop implementation. Below is the output from my execution.

2018-03-30 17:17:50,119 p=5543 u=cloudadmin | TASK [galera_server : Create galera users] *************************************
2018-03-30 17:17:50,120 p=5543 u=cloudadmin | Friday 30 March 2018 17:17:50 +0000 (0:00:00.055) 0:01:59.664 **********
2018-03-30 17:17:50,615 p=5543 u=cloudadmin | ok: [controller-1] => (item={u'state': u'present', u'password': u'6788672857c0ec497996e1a1098c37d', u'host': u'%', u'name': u'root', u'priv': u'*.*:ALL,GRANT'})
2018-03-30 17:17:50,958 p=5543 u=cloudadmin | ok: [controller-1] => (item={u'state': u'absent', u'password': u'6788672857c0ec497996e1a1098c37d', u'host': u'192.168.1.24', u'name': u'root', u'priv': u'*.*:ALL'})
2018-03-30 17:17:51,326 p=5543 u=cloudadmin | changed: [controller-1] => (item={u'state': u'present', u'password': u'', u'host': u'%', u'name': u'monitoring', u'priv': u'*.*:USAGE'})
2018-03-30 17:17:51,602 p=5543 u=cloudadmin | changed: [controller-1] => (item={u'state': u'present', u'password': u'', u'host': u'192.168.1.24', u'name': u'monitoring', u'priv': u'*.*:USAGE'})

This can be fixed by adding below lines to the task in galera_setup.yml:
  loop_control:
    label: "{{item.name, item.host}}"

Please assign this ticket to me, if you think it is a valid bug.

Jean-Philippe Evrard (jean-philippe-evrard)
Changed in openstack-ansible:
status: New → Confirmed
importance: Undecided → Critical
assignee: nobody → Jean-Philippe Evrard (jean-philippe-evrard)
OpenStack Infra (hudson-openstack)
Changed in openstack-ansible:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-tests (master)

Reviewed: https://review.openstack.org/560405
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-tests/commit/?id=c00ecb858d238fbba26d64750740f94f5411bd06
Submitter: Zuul
Branch: master

commit c00ecb858d238fbba26d64750740f94f5411bd06
Author: Jean-Philippe Evrard <email address hidden>
Date: Wed Apr 11 15:00:16 2018 +0200

    Add a rule to prevent passwords to be logged

    Lint rule to make sure no module argument looking like "password"
    will get logged.

    Change-Id: I180b77faf7aaab57d1c48fc993e43f08c4fb16f6
    Closes-Bug: #1760878

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-tests (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/561865

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-tests (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/561882

Revision history for this message
chandra shekar (sekharvajjula) wrote :

ansible-keepalived has the same issue. eg:- https://github.com/evrardjp/ansible-keepalived/blob/master/tasks/main.yml#L57 as well reveals passwords. Do I need to create a new ticket for it in its own project?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-tests (stable/queens)

Reviewed: https://review.openstack.org/561865
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-tests/commit/?id=41e2d77aa15f3ebd82129509c447c72ee5133c05
Submitter: Zuul
Branch: stable/queens

commit 41e2d77aa15f3ebd82129509c447c72ee5133c05
Author: Jean-Philippe Evrard <email address hidden>
Date: Wed Apr 11 15:00:16 2018 +0200

    Add a rule to prevent passwords to be logged

    Lint rule to make sure no module argument looking like "password"
    will get logged.

    Change-Id: I180b77faf7aaab57d1c48fc993e43f08c4fb16f6
    Closes-Bug: #1760878
    (cherry picked from commit c00ecb858d238fbba26d64750740f94f5411bd06)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-tests (stable/pike)

Reviewed: https://review.openstack.org/561882
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-tests/commit/?id=9d95df9ce28729e90306fe7bb8a38c8d239a07c4
Submitter: Zuul
Branch: stable/pike

commit 9d95df9ce28729e90306fe7bb8a38c8d239a07c4
Author: Jean-Philippe Evrard <email address hidden>
Date: Wed Apr 11 15:00:16 2018 +0200

    Add a rule to prevent passwords to be logged

    Lint rule to make sure no module argument looking like "password"
    will get logged.

    Change-Id: I180b77faf7aaab57d1c48fc993e43f08c4fb16f6
    Closes-Bug: #1760878
    (cherry picked from commit c00ecb858d238fbba26d64750740f94f5411bd06)

tags: added: in-stable-pike
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.