puppet-heat

Hide secrets from puppet logs

Bug #1328448 reported by Stefano Zilli
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet-ceilometer
Fix Released
Undecided
Stefano Zilli
puppet-ceilometer 5.0.0 "5.0.0"
puppet-designate
Fix Released
Undecided
Sebastien Badia
puppet-glance
Fix Released
Undecided
Sebastien Badia
puppet-glance 5.0.0 "5.0.0"
puppet-heat
Fix Released
Undecided
Sebastien Badia
puppet-heat 5.0.0 "5.0.0"
puppet-ironic
Fix Released
Undecided
Sebastien Badia
puppet-keystone
Fix Released
Undecided
Stefano Zilli
puppet-keystone 5.0.0 "5.0.0"
puppet-neutron
Fix Released
Undecided
Sebastien Badia
puppet-neutron 5.0.0 "5.0.0"

Bug Description

Currently secrets like rabbit_password or os_password are displayed in puppet logs when changed.
This should not be the case.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-ceilometer (master)

Fix proposed to branch: master
Review: https://review.openstack.org/98980

Changed in puppet-ceilometer:
assignee: nobody → Stefano Zilli (stefano-zilli)
status: New → In Progress
Revision history for this message
Sebastien Badia (sbadia) wrote :

Review for puppet-glance https://review.openstack.org/99294 (master)

Changed in puppet-glance:
assignee: nobody → Stefano Zilli (stefano-zilli)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-ceilometer (master)

Reviewed: https://review.openstack.org/98980
Committed: https://git.openstack.org/cgit/stackforge/puppet-ceilometer/commit/?id=b10f1af5b0576ad6926d6dbd5e5a0e4a8eab32d4
Submitter: Jenkins
Branch: master

commit b10f1af5b0576ad6926d6dbd5e5a0e4a8eab32d4
Author: Stefano Zilli <email address hidden>
Date: Tue Jun 10 11:17:39 2014 +0200

    Hide secrets from puppet logs

    Currently secrets like rabbit_password or os_password are displayed in
    puppet logs when changed. This commit changes ceilometer_config type
    adding a new parameter that triggers obfuscation of the values in
    puppet logs.

    Change-Id: I9eb6504220c5337c154bf5ad86c7d22bea64df51
    Closes-Bug: #1328448

Changed in puppet-ceilometer:
status: In Progress → Fix Committed
Revision history for this message
Stefano Zilli (szilli) wrote :

Duplicate of #1279329

Changed in puppet-keystone:
status: New → Invalid
Revision history for this message
Sebastien Badia (sbadia) wrote :

For puppet-keystone, rabbit_password isn't obfuscated https://github.com/stackforge/puppet-keystone/blob/master/manifests/init.pp#L458

Revision history for this message
Stefano Zilli (szilli) wrote :

Well spotted. I completely missed it.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/99344

Changed in puppet-keystone:
assignee: nobody → Stefano Zilli (stefano-zilli)
status: Invalid → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-keystone (master)

Reviewed: https://review.openstack.org/99344
Committed: https://git.openstack.org/cgit/stackforge/puppet-keystone/commit/?id=cbac8130da6732a1e8ad1dbcf9aec6ba75b7c20d
Submitter: Jenkins
Branch: master

commit cbac8130da6732a1e8ad1dbcf9aec6ba75b7c20d
Author: Stefano Zilli <email address hidden>
Date: Wed Jun 11 13:26:52 2014 +0200

    Use secret parameter for rabbit_password

    Rabbit_password configuration was not using secret parameter so it
    was visible on the logs.

    Change-Id: Idad892f0c461fce53eaa81ec8a7f3cfe871a9d00
    Closes-Bug: 1328448

Changed in puppet-keystone:
status: In Progress → Fix Committed
OpenStack Infra (hudson-openstack)
Changed in puppet-neutron:
assignee: nobody → Sebastien Badia (sbadia)
status: New → In Progress
Changed in puppet-ironic:
assignee: nobody → Sebastien Badia (sbadia)
status: New → In Progress
Changed in puppet-heat:
assignee: nobody → Sebastien Badia (sbadia)
status: New → In Progress
Changed in puppet-designate:
assignee: nobody → Sebastien Badia (sbadia)
status: New → In Progress
Changed in puppet-glance:
assignee: Stefano Zilli (stefano-zilli) → Sebastien Badia (sbadia)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-heat (master)

Reviewed: https://review.openstack.org/106526
Committed: https://git.openstack.org/cgit/stackforge/puppet-heat/commit/?id=6a89a44f9d2c6114b3bb1a4a74eff62ec13f545e
Submitter: Jenkins
Branch: master

commit 6a89a44f9d2c6114b3bb1a4a74eff62ec13f545e
Author: Sebastien Badia <email address hidden>
Date: Sat Jul 12 02:27:11 2014 +0200

    Hide secrets from puppet logs

    Currently secrets like rabbit_password or admin_password are laked

    puppet logs when changed. This commit changes heat_*_config and
    heat_*_ini types adding a new parameter that triggers obfuscation
    the values in puppet logs.

    Change-Id: Ib06a0f967dd5d5f8cc1c4dc7257c0e196786e8ae
    Closes-Bug: #1328448

Changed in puppet-heat:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-ironic (master)

Reviewed: https://review.openstack.org/106525
Committed: https://git.openstack.org/cgit/stackforge/puppet-ironic/commit/?id=8012b9538fc9f58adae1cad9f8c03519695021b3
Submitter: Jenkins
Branch: master

commit 8012b9538fc9f58adae1cad9f8c03519695021b3
Author: Sebastien Badia <email address hidden>
Date: Sat Jul 12 02:27:54 2014 +0200

    Hide secrets from puppet logs

    Currently secrets like rabbit_password or admin_password are laked in puppet
    logs when changed. This commit added secret parameter to password and
    databases params.

    Change-Id: I205b54d24be202095a2eae7356d63107523e0c92
    Closes-Bug: #1328448

Changed in puppet-ironic:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-designate (master)

Reviewed: https://review.openstack.org/106529
Committed: https://git.openstack.org/cgit/stackforge/puppet-designate/commit/?id=3caedea97a5eb39e3fc9e50b54cfa5eaa1e222e5
Submitter: Jenkins
Branch: master

commit 3caedea97a5eb39e3fc9e50b54cfa5eaa1e222e5
Author: Sebastien Badia <email address hidden>
Date: Sat Jul 12 02:25:12 2014 +0200

    Hide secrets from puppet logs

    Currently secrets like rabbit_password or admin_password are laked

    puppet logs when changed. This commit changes designate_*_config and
    designate_*_ini types adding a new parameter that triggers obfuscation
    the values in puppet logs.

    Change-Id: I54e7c0bb27e46928db1a7f0125783c02d00d0e69
    Closes-Bug: #1328448

Changed in puppet-designate:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-glance (master)

Reviewed: https://review.openstack.org/99294
Committed: https://git.openstack.org/cgit/stackforge/puppet-glance/commit/?id=a0c5c271effa0d613a0436646bf240ef9be27d2b
Submitter: Jenkins
Branch: master

commit a0c5c271effa0d613a0436646bf240ef9be27d2b
Author: Stefano Zilli <email address hidden>
Date: Wed Jun 11 10:36:39 2014 +0200

    Hide secrets from puppet logs

    Currently secrets like rabbit_password or admin_password are displayed in
    puppet logs when changed. This commit changes glance_*_config and
    glance_*_ini types adding a new parameter that triggers obfuscation of
    the values in puppet logs.

    Change-Id: I31f974a9afadef42939ee092ecba3b8f4333bb8b
    Closes-Bug: #1328448

Changed in puppet-glance:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-neutron (master)

Reviewed: https://review.openstack.org/106524
Committed: https://git.openstack.org/cgit/stackforge/puppet-neutron/commit/?id=c7f8696a3abfa5771d811f6d6c35f5a1f2ba02ec
Submitter: Jenkins
Branch: master

commit c7f8696a3abfa5771d811f6d6c35f5a1f2ba02ec
Author: Sebastien Badia <email address hidden>
Date: Sat Jul 12 02:28:55 2014 +0200

    Hide secrets from puppet logs

    Currently secrets like rabbit_password, admin_password or database connection
    are laked in puppet logs when changed. This commit changes neutron_*_config and
    neutron_*_ini types adding a new parameter that triggers obfuscation the values
    in puppet logs.

    Change-Id: I7dc59ce9580bfb1d4afdfbced668d0cb2979458a
    Closes-Bug: #1328448

Changed in puppet-neutron:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-glance (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/124216

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-keystone (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/124217

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-heat (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/124218

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-neutron (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/124219

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-heat (stable/icehouse)

Reviewed: https://review.openstack.org/124218
Committed: https://git.openstack.org/cgit/stackforge/puppet-heat/commit/?id=02e0cdaabbcd86d009f35968f5bbcb908873b96e
Submitter: Jenkins
Branch: stable/icehouse

commit 02e0cdaabbcd86d009f35968f5bbcb908873b96e
Author: Sebastien Badia <email address hidden>
Date: Sat Jul 12 02:27:11 2014 +0200

    Hide secrets from puppet logs

    Currently secrets like rabbit_password or admin_password are laked

    puppet logs when changed. This commit changes heat_*_config and
    heat_*_ini types adding a new parameter that triggers obfuscation
    the values in puppet logs.

    Change-Id: Ib06a0f967dd5d5f8cc1c4dc7257c0e196786e8ae
    Closes-Bug: #1328448
    (cherry picked from commit 6a89a44f9d2c6114b3bb1a4a74eff62ec13f545e)

tags: added: in-stable-icehouse
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-neutron (stable/icehouse)

Reviewed: https://review.openstack.org/124219
Committed: https://git.openstack.org/cgit/stackforge/puppet-neutron/commit/?id=5246c086926aac3ff07b09018b92fdfb0197bfca
Submitter: Jenkins
Branch: stable/icehouse

commit 5246c086926aac3ff07b09018b92fdfb0197bfca
Author: Sebastien Badia <email address hidden>
Date: Sat Jul 12 02:28:55 2014 +0200

    Hide secrets from puppet logs

    Currently secrets like rabbit_password, admin_password or database connection
    are laked in puppet logs when changed. This commit changes neutron_*_config and
    neutron_*_ini types adding a new parameter that triggers obfuscation the values
    in puppet logs.

    Change-Id: I7dc59ce9580bfb1d4afdfbced668d0cb2979458a
    Closes-Bug: #1328448
    (cherry picked from commit c7f8696a3abfa5771d811f6d6c35f5a1f2ba02ec)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-keystone (stable/icehouse)

Reviewed: https://review.openstack.org/124217
Committed: https://git.openstack.org/cgit/stackforge/puppet-keystone/commit/?id=de76c54fe9cdbe994881e8c4b3120bf134f5f00d
Submitter: Jenkins
Branch: stable/icehouse

commit de76c54fe9cdbe994881e8c4b3120bf134f5f00d
Author: Stefano Zilli <email address hidden>
Date: Wed Jun 11 13:26:52 2014 +0200

    Use secret parameter for rabbit_password

    Rabbit_password configuration was not using secret parameter so it
    was visible on the logs.

    Change-Id: Idad892f0c461fce53eaa81ec8a7f3cfe871a9d00
    Closes-Bug: 1328448
    (cherry picked from commit cbac8130da6732a1e8ad1dbcf9aec6ba75b7c20d)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-glance (stable/icehouse)

Reviewed: https://review.openstack.org/124216
Committed: https://git.openstack.org/cgit/stackforge/puppet-glance/commit/?id=bb30cea7601d2af242045832f80d2b4f3ac2338d
Submitter: Jenkins
Branch: stable/icehouse

commit bb30cea7601d2af242045832f80d2b4f3ac2338d
Author: Stefano Zilli <email address hidden>
Date: Wed Jun 11 10:36:39 2014 +0200

    Hide secrets from puppet logs

    Currently secrets like rabbit_password or admin_password are displayed in
    puppet logs when changed. This commit changes glance_*_config and
    glance_*_ini types adding a new parameter that triggers obfuscation of
    the values in puppet logs.

    Change-Id: I31f974a9afadef42939ee092ecba3b8f4333bb8b
    Closes-Bug: #1328448
    (cherry picked from commit a0c5c271effa0d613a0436646bf240ef9be27d2b)

Mathieu Gagné (mgagne)
Changed in puppet-ironic:
status: Fix Committed → Fix Released
Changed in puppet-keystone:
milestone: none → 5.0.0
Changed in puppet-neutron:
milestone: none → 5.0.0
status: Fix Committed → Fix Released
Changed in puppet-keystone:
status: Fix Committed → Fix Released
Changed in puppet-heat:
milestone: none → 5.0.0
status: Fix Committed → Fix Released
Changed in puppet-glance:
milestone: none → 5.0.0
status: Fix Committed → Fix Released
Changed in puppet-ceilometer:
milestone: none → 5.0.0
status: Fix Committed → Fix Released
Changed in puppet-designate:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.