puppet-ceilometer

Hard-coded passwords found in Puppet scripts

Bug #1785533 reported by Akond Rahman
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet-ceilometer
Invalid
Undecided
Unassigned

Bug Description

Detailed bug description:

I am a security researcher, who is looking for security smells in Puppet scripts.
I noticed instances of hard-coded passwords, which are against the best practices
recommended by Common Weakness Enumeration (CWE) [https://cwe.mitre.org/data/definitions/259.html] and also by other security practitioners.

Feedback is welcome.

I noticed hard-coded passwords in the following scripts. As all of these following scripts point to the same problem I am submitting one bug report instead of multiple bug reports for different projects.

fuel-library/deployment/puppet/fuel/examples/host.pp
fuel-library/deployment/puppet/fuel/manifests/params.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/ironic/ironic_compute.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/ironic/ironic.pp
fuel-library/deployment/puppet/openstack_tasks/manifests/ironic/keystone.pp
fuel-library/deployment/puppet/openstack/manifests/cinder.pp
fuel-library/deployment/puppet/openstack/manifests/network/neutron_agents.pp
fuel-library/deployment/puppet/openstack/tests/all.pp
fuel-library/deployment/puppet/osnailyfacter/manifests/ssh.pp
fuel-plugin-ci/puppet-manifests/modules/fuel_project/manifests/common.pp
fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/cisco_aci/manifests/gbp_and_apic_gbp.pp
fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/cisco_aci/manifests/generic_apic_ml2.pp
fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/neutron/manifests/config_apic.pp
fuel-plugin-cisco-aci/deployment_scripts/puppet/modules/neutron/manifests/config_auth.pp
fuel-plugin-elasticsearch-kibana/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/kibana_authentication.pp
fuel-plugin-elasticsearch-kibana/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/params.pp
fuel-plugin-external-zabbix/deployment_scripts/puppet/modules/plugin_zabbix/manifests/db/mysql.pp
fuel-plugin-ironic/deployment_scripts/puppet/manifests/ironic-compute.pp
fuel-plugin-lma-infrastructure-alerting/deployment_scripts/puppet/modules/nagios/manifests/cgi.pp
fuel-plugin-lma-infrastructure-alerting/deployment_scripts/puppet/modules/nagios/manifests/params.pp
fuel-plugin-scaleio/deployment_scripts/puppet/manifests/cinder.pp
puppet-ceilometer-2018-06/examples/ceilometer_with_gnocchi.pp
puppet-cinder-2018-06/examples/cinder_volume_with_pacemaker.pp
 puppet-designate/example/all-in-one-keystone.pp
 puppet-glance/examples/glance_multi_store.pp
 puppet-glance/examples/glance_single_store.pp
 puppet-glance/tests/site.pp
 puppet-gnocchi/examples/site.pp
 puppet-heat/examples/site.pp
 puppet-heat/manifests/db/postgresql.pp
 puppet-ironic/examples/ironic.pp
 puppet-keystone/examples/apache_dropin.pp
 puppet-keystone/examples/apache_with_paths.pp
 puppet-keystone/examples/k2k_sp_shib.pp
 puppet-keystone/examples/ldap_backend.pp
 puppet-keystone/examples/ldap_full.pp
 puppet-keystone/examples/ldap_identity.pp
 puppet-keystone/examples/v3_basic.pp
 puppet-keystone/examples/v3_domain_configuration.pp
 puppet-keystone/manifests/federation/openidc.pp
 puppet-keystone/tests/site.pp
 puppet-magnum/examples/magnum.pp
 puppet-magnum/manifests/keystone/domain.pp
 puppet-manila/manifests/rabbitmq.pp
 puppet-midonet/manifests/cli.pp
 puppet-midonet/manifests/init.pp
 puppet-neutron/examples/cisco_ml2.pp
 puppet-neutron/examples/neutron_l3_with_to_uuid.pp
 puppet-neutron/examples/neutron_with_pacemaker.pp
 puppet-neutron/examples/neutron_wsgi.pp
 puppet-neutron/examples/neutron.pp
 puppet-nova/examples/nova_with_pacemaker.pp
 puppet-nova/examples/nova_wsgi.pp
 puppet-nova/manifests/ironic/common.pp
 puppet-nova/manifests/manage/cells.pp
 puppet-openstack-integration/manifests/aodh.pp
 puppet-openstack-integration/manifests/barbican.pp
 puppet-openstack-integration/manifests/ceilometer.pp
 puppet-openstack-integration/manifests/cinder.pp
 puppet-openstack-integration/manifests/designate.pp
 puppet-openstack-integration/manifests/ec2api.pp
 puppet-openstack-integration/manifests/glance.pp
 puppet-openstack-integration/manifests/gnocchi.pp
 puppet-openstack-integration/manifests/heat.pp
 puppet-openstack-integration/manifests/ironic.pp
 puppet-openstack-integration/manifests/keystone.pp
 puppet-openstack-integration/manifests/mistral.pp
 puppet-openstack-integration/manifests/murano.pp
 puppet-openstack-integration/manifests/neutron.pp
 puppet-openstack-integration/manifests/nova.pp
 puppet-openstack-integration/manifests/panko.pp
 puppet-openstack-integration/manifests/sahara.pp
 puppet-openstack-integration/manifests/swift.pp
 puppet-openstack-integration/manifests/tempest.pp
 puppet-openstack-integration/manifests/trove.pp
 puppet-openstack-integration/manifests/vitrage.pp
 puppet-openstack-integration/manifests/zaqar.pp
 puppet-pacemaker/manifests/params.pp
 puppet-pacemaker/manifests/stonith/fence_xvm.pp
 puppet-sahara/examples/basic.pp
 puppet-swift/manifests/keystone/auth.pp
 puppet-swift/manifests/keystone/dispersion.pp
 puppet-swift/manifests/proxy/authtoken.pp
 puppet-swift/manifests/proxy/ceilometer.pp
 puppet-trove/examples/site.pp
 puppet-vitrage/examples/vitrage.pp

Revision history for this message
Takashi Kajinami (kajinamit) wrote :

* Examples files are examples.
* Puppet-openstack-integration is the group of manifests for our testing.
* Usually default is set to os_service_default fact which is not a specific value but is translated to "absent" value
* we had hard-coded password in puppet-swift but these were already removed
* we need more details (the lines detected by your toolings) for further actions

Changed in puppet-ceilometer:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.