OpenStack-Ansible

Insecure coding practices in Ansible scripts

Bug #1828465 reported by Akond Rahman on 2019-05-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack-Ansible	Opinion	Undecided	Unassigned

Bug Description

I am a security researcher, who found insecure coding practices in Chef scripts.
I want to know if practitioners agree with our findings. Feedback is welcome.

I noticed insecure coding practices in the following scripts:

Hard-coded passwords:

bifrost/playbooks/roles/bifrost-ironic-install/defaults/main.yml
bifrost/playbooks/roles/bifrost-keystone-install/defaults/main.yml
openstack-ansible/playbooks/healthcheck-infrastructure.yml
monasca-vagrant/roles/monasca-devstack/defaults/main.yml
openstack-ansible-ops/ansible_tools/playbooks/swift_storage_mount_drives.yml
tripleo-quickstart/roles/repo-setup/defaults/main.yml
openstack-ansible-ops/elk_metrics_6x/roles/elastic_kibana/defaults/main.yml
bifrost/playbooks/roles/bifrost-create-vm-nodes/tasks/create_vm.yml
bifrost/playbooks/roles/bifrost-openstack-ci-prep/tasks/main.yml
browbeat/ansible/install/roles/collectd-openstack/defaults/main.yml
openstack-ansible-ops/pxelinux-provisioning/playbooks/group_vars/all.yml
tripleo-quickstart/roles/libvirt/setup/overcloud/tasks/vars/libvirt_nodepool_vars.yml
******************************************************************************

Use of HTTP without TLS: HTTP is used without TLS

openstack-ansible-ops/multi-node-aio/playbooks/group_vars/all.yml
openstack-ansible-ops/multi-node-aio/playbooks/vars/openstack-service-config.yml
browbeat/ansible/install/roles/kibana-visualization/tasks/main.yml
openstack-ansible-ops/elk_metrics_6x/roles/elastic_rollup/tasks/main.yml
bifrost/playbooks/roles/bifrost-keystone-install/defaults/main.yml
bifrost/playbooks/roles/bifrost-ironic-install/defaults/main.yml
openstack-ansible-ops/pxelinux-provisioning/playbooks/group_vars/all.yml
tripleo-quickstart/roles/libvirt/defaults/main.yml
bifrost/playbooks/roles/bifrost-keystone-client-config/defaults/main.yml
browbeat/ansible/install/roles/es-template/tasks/main.yml
browbeat/ansible/install/roles/collectd-openstack/tasks/main.yml
openstack-ansible/playbooks/ceph-install.yml
openstack-ansible/playbooks/defaults/healthchecks-vars.yml
ansible-role-container-registry/handlers/main.yml
ansible-role-python_venv_build/tests/test.yml
bifrost/playbooks/roles/ironic-enroll-dynamic/defaults/main.yml
bifrost/playbooks/roles/bifrost-test-inspection/defaults/main.yml
bifrost/playbooks/roles/bifrost-configdrives-dynamic/defaults/main.yml
bifrost/playbooks/roles/bifrost-unprovision-node-dynamic/defaults/main.yml
bifrost/playbooks/roles/ironic-delete-dynamic/defaults/main.yml
bifrost/playbooks/roles/bifrost-deploy-nodes-dynamic/defaults/main.yml
browbeat/ansible/install/roles/rsyslog-install/tasks/main.yml
browbeat/ansible/install/roles/fluentd/tasks/main.yml
browbeat/ansible/install/roles/logstash/tasks/main.yml
browbeat/ansible/install/roles/stockpile/tasks/main.yml
openstack-ansible/playbooks/healthcheck-infrastructure.yml
openstack-ansible/playbooks/defaults/source_install.yml
openstack-ansible/inventory/group_vars/all/octavia.yml
openstack-ansible/inventory/group_vars/all/designate.yml
openstack-ansible-ops/multi-node-aio/playbooks/deploy-acng.yml
openstack-ansible-ops/elk_metrics_6x/roles/elastic_repositories/vars/redhat.yml
openstack-ansible-ops/elk_metrics_6x/roles/elastic_kibana/defaults/main.yml
openstack-ansible-ops/elk_metrics_6x/roles/elastic_retention/tasks/main.yml

******************************************************************************

Binding to 0.0.0.0: An IP address is used, which is invalid such as 0.0.0.0
openstack-ansible/playbooks/defaults/healthchecks-vars.yml
openstack-ansible-ops/multi-node-aio/playbooks/group_vars/all.yml
openstack-ansible-ops/pxelinux-provisioning/playbooks/group_vars/all.yml
openstack-ansible-ops/elk_metrics_6x/roles/elastic_kibana/defaults/main.yml
openstack-ansible-ops/elk_metrics_6x/roles/elastic_apm_server/defaults/main.yml

******************************************************************************

I did not find a project that addresses the 'browbeat', 'openstack-ansible', 'openstack-ansible-ops', 'bifrost', 'cookbook-openstack-identity' repo, so I am filing this bug report in the 'Openstack+Chef' project. This is more of a validation report than a bug report where I am asking Openstack developers if they agree with these insecure coding practice occurrences. Feedback welcome.

Revision history for this message

Jonathan Rosser (jrosser) wrote on 2024-02-13:

From an openstack-ansible perspective the passwords are placeholder values that need to be present to allow any form of CI test to run. Production deployments should use standard variable overrides and undertake their own security audit.

Changed in openstack-ansible:
status:	New → Opinion

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.