SECRET_KEY is leaked in puppt output
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
puppet-horizon |
Fix Released
|
High
|
Takashi Kajinami |
Bug Description
The local_settings file stores the SECRET_KEY parameter in a plane text format.
Because we don't disable diff, the key content is displayed in the puppet log, during initial deployment or the key is changed.
```
2022-08-19 00:27:11 +0000 /Stage[
--- /etc/openstack-
+++ /tmp/puppet-
@@ -1,54 +1,94 @@
-# -*- coding: utf-8 -*-
...
# Set custom secret key:
# You can either set it to a specific value or you can let horizon generate a
@@ -84,25 +134,31 @@
# (usually behind a load-balancer). Either you have to make sure that a session
# gets all requests routed to the same dashboard instance or you set the same
# SECRET_KEY for all of them.
-SECRET_
+#SECRET_KEY = secret_
+# os.path.
+SECRET_KEY = 'big_secret'
...
```
Changed in puppet-horizon: | |
importance: | Undecided → High |
assignee: | nobody → Takashi Kajinami (kajinamit) |
Fix proposed to branch: master /review. opendev. org/c/openstack /puppet- horizon/ +/853744
Review: https:/