Bug #1914831 “starlingx_dashboard should enable optional securit...” : Bugs : StarlingX

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2021-02-05:

#1

stx.5.0 / low priority - would be nice to fix in the master branch for stx.5.0 given these are security concerns.

Changed in starlingx:
assignee:	nobody → Tyler Smith (tyler.smith)
importance:	Undecided → Low
status:	New → Triaged
tags:	added: stx.5.0 stx.security

Revision history for this message

Tyler Smith (tyler.smith) wrote on 2021-02-05:

#2

Not sure if the linking is still having issues, but the code review is here: https://review.opendev.org/c/starlingx/gui/+/774319

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2021-02-08:

#3

Yes there are still issues with the integration between gerrit and launchpad.

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2021-02-08:

#4

Merged on 2021-02-08
https://review.opendev.org/c/starlingx/gui/+/774319
Marking as Fix Released

Changed in starlingx:
status:	Triaged → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-05-19: Fix proposed to gui (f/centos8)

#5

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/c/starlingx/gui/+/792252

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-05-19: Fix merged to gui (f/centos8)

#6

Download full text (16.7 KiB)

Reviewed: https://review.opendev.org/c/starlingx/gui/+/792252
Committed: https://opendev.org/starlingx/gui/commit/63d6de4701a7f21779ad9ea4060fce9ed85bc71f
Submitter: "Zuul (22348)"
Branch: f/centos8

commit e05e1a43531499d94cfb1e538683ee36eea92b43
Author: Teresa Ho <email address hidden>
Date: Thu May 13 23:04:04 2021 -0400

Do not display primary_reselect if not specified

If the attribute 'primary_reselect' is not specified, the sysinv API
will leave it as null and GUI will not display the attribute.

Closes-Bug: 1928461

Change-Id: I5b8ef8b29fb7775dde8607bb14cd733015269f82
Signed-off-by: Teresa Ho <email address hidden>

commit f1a4d30eca91c7a239ebd7479a56fef7870a4b2e
Author: Pablo Bovina <email address hidden>
Date: Fri May 7 16:59:50 2021 -0300

Display DataNetworks list

DataNetworks are listed for pci-sriov
under Create/Edit Interface forms.

    Closes-bug: 1927782
    Signed-off-by: Pablo Bovina <email address hidden>
    Change-Id: If927bb0facdec9e587a13354bef56eca5df08785

commit 7973677a3d7d518c31757b36037373d2c4ac769c
Author: Andre Fernando Zanella Kantek <email address hidden>
Date: Thu May 6 07:32:59 2021 -0400

In AIO-SX, interface edit rejected with Host administrative unlocked

    It was detected the edit rejection when the user, on an unlocked
    host, tries to convert an ethernet non-SRIOV to an SRIOV-PF
    interface, with the server responding "Host 'controller-0' is
    administrative 'unlocked'".

    This is caused because UpdateInterface.handle() executes first the
    datanetwork assignment and then modifies the interface. Since the
    assignment, on an unlocked host, is only possible for SRIOV
    interfaces, the order of execution matters, we need to have the
    interface modified and then assigned. The correction consists of
    altering the order (first modify then assign) to do the described.

    Tests:
    To ensure the continuous operation of the other types of conversion
    the following combinations were tested (all were done adding the
    interface to a network or datanetwork, depending on the class):

    Unlocked state:
    ethernet/[none,data,pci-pt,platform] to pci-sriov: accepted
    modify parameters of a pci-sriov: rejected
    conversion to other than pci-sriov: rejected

Locked state:
all conversions (with network/datanetwork assignment) are accepted

Closes-Bug: 1925183

Signed-off-by: Andre Fernando Zanella Kantek <email address hidden>
Change-Id: Ib124bf7222e07966becbb81198f65f5bc55715ce

commit ddcc4fd3ccb4c02580c71414345993252b089761
Author: Enzo Candotti <email address hidden>
Date: Tue May 4 11:08:57 2021 -0300

Enable add/edit Worker personality on DC AIO-DX's GUI

This update is to allow the option to add a new host with Worker
personality on Distributed Cloud mode.

Closes-Bug: 1927107

Signed-off-by: Enzo Candotti <email address hidden>
Change-Id: Idfed9352c7c6467014a2ed2cf10b70f6b470c28c

commit de43c019c0b7f038d0184d10aab2bf61b6c5e147
Author: Andre Fer...

Reviewed:  https://review.opendev.org/c/starlingx/gui/+/792252
Committed: https://opendev.org/starlingx/gui/commit/63d6de4701a7f21779ad9ea4060fce9ed85bc71f
Submitter: "Zuul (22348)"
Branch:    f/centos8

commit e05e1a43531499d94cfb1e538683ee36eea92b43
Author: Teresa Ho <teresa.ho@windriver.com>
Date:   Thu May 13 23:04:04 2021 -0400

Do not display primary_reselect if not specified
    
    If the attribute 'primary_reselect' is not specified, the sysinv API
    will leave it as null and GUI will not display the attribute.
    
    Closes-Bug: 1928461
    
    Change-Id: I5b8ef8b29fb7775dde8607bb14cd733015269f82
    Signed-off-by: Teresa Ho <teresa.ho@windriver.com>

commit f1a4d30eca91c7a239ebd7479a56fef7870a4b2e
Author: Pablo Bovina <pablo.bovina@windriver.com>
Date:   Fri May 7 16:59:50 2021 -0300

Display DataNetworks list
    
    DataNetworks are listed for pci-sriov
    under Create/Edit Interface forms.
    
    Closes-bug: 1927782
    Signed-off-by: Pablo Bovina <pablo.bovina@windriver.com>
    Change-Id: If927bb0facdec9e587a13354bef56eca5df08785

commit 7973677a3d7d518c31757b36037373d2c4ac769c
Author: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>
Date:   Thu May 6 07:32:59 2021 -0400

In AIO-SX, interface edit rejected with Host administrative unlocked
    
    It was detected the edit rejection when the user, on an unlocked
    host, tries to convert an ethernet non-SRIOV to an SRIOV-PF
    interface, with the server responding "Host 'controller-0' is
    administrative 'unlocked'".
    
    This is caused because UpdateInterface.handle() executes first the
    datanetwork assignment and then modifies the interface. Since the
    assignment, on an unlocked host, is only possible for SRIOV
    interfaces, the order of execution matters, we need to have the
    interface modified and then assigned. The correction consists of
    altering the order (first modify then assign) to do the described.
    
    Tests:
    To ensure the continuous operation of the other types of conversion
    the following combinations were tested (all were done adding the
    interface to a network or datanetwork, depending on the class):
    
    Unlocked state:
    ethernet/[none,data,pci-pt,platform] to pci-sriov: accepted
    modify parameters of a pci-sriov: rejected
    conversion to other than pci-sriov: rejected
    
    Locked state:
    all conversions (with network/datanetwork assignment) are accepted
    
    Closes-Bug: 1925183
    
    Signed-off-by: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>
    Change-Id: Ib124bf7222e07966becbb81198f65f5bc55715ce

commit ddcc4fd3ccb4c02580c71414345993252b089761
Author: Enzo Candotti <enzo.candotti@windriver.com>
Date:   Tue May 4 11:08:57 2021 -0300

Enable add/edit Worker personality on DC AIO-DX's GUI
    
    This update is to allow the option to add a new host with Worker
    personality on Distributed Cloud mode.
    
    Closes-Bug: 1927107
    
    Signed-off-by: Enzo Candotti <enzo.candotti@windriver.com>
    Change-Id: Idfed9352c7c6467014a2ed2cf10b70f6b470c28c

commit de43c019c0b7f038d0184d10aab2bf61b6c5e147
Author: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>
Date:   Thu Apr 29 06:33:50 2021 -0400

On AIO-SX's GUI, allow create/delete buttons for SRIOV-VF interfaces
    
    As part of the correction for this bug the user must be capable,
    through GUI, to create and delete subinterfaces on an unlocked system
    to handle SRIOV-VF interfaces, as it is permitted via CLI
    
    If the system is unlocked, a logic was added to prevent the create
    button to be displayed if no SRIOV-PF interface is present. The
    delete button will also only be shown if it is a SRIOV-VF interface
    
    Closes-Bug: 1925183
    
    Signed-off-by: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>
    Change-Id: I985383292affee5e1627b2c0c9a6455d16bbdfec

commit 180d8a7dcc78d1e9b10df4c103f95d32b116bb0e
Author: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>
Date:   Tue Apr 20 07:10:46 2021 -0400

Cant modify the interface without lock/unlock through GUI, in AIO-SX
    
    As part of storyboard 2008531 users should be able to modify the
    ethernet interface to SR-IOV from the CLI and Horizon's GUI. This
    correction enables the "Edit Interface" button if the system is
    AIO-SX, the interface is ethernet and the class isn't pci-sriov.
    
    Tested with GUI on AIO-SX and Standard setups as described on
    launchpad
    
    Closes-Bug: 1925183
    
    Signed-off-by: Andre Fernando Zanella Kantek <AndreFernandoZanella.Kantek@windriver.com>
    Change-Id: Ic60684eae123618506d15c8564a85230df7a605d

commit c308974419d1174df75a6d573e0f3c5a7d80e2ad
Author: Fernando Theirs <Fernando.Theirs@windriver.com>
Date:   Fri Apr 9 14:54:50 2021 -0300

Download openrc file for subclouds
    
    This change sets adminURL as secondary endpoint. When trying to
    download openrc file for subcloud-N, it is only allowed to use adminURL
    endpoint. Since publicURL is used by default, it is necessary to go
    to fallback option.
    
    Closes-Bug: 1923884
    
    Signed-off-by: Fernando Theirs <Fernando.Theirs@windriver.com>
    Change-Id: Ifd0a32a03a458ea99f8589a524e562220a9f0b74

commit eee41da9a22653132b53ca40a70659a220dab725
Author: Takamasa Takenaka <takamasa.takenaka@windriver.com>
Date:   Fri Apr 9 17:48:51 2021 -0300

Add new introduced deploy states to cloud overview panel
    
    Add the following deploy states to put the proper icon.
    [DANGER: Red icon]
    DEPLOY_STATE_DEPLOY_PREP_FAILED = 'deploy-prep-failed'
    DEPLOY_STATE_DATA_MIGRATION_FAILED = 'data-migration-failed'
    DEPLOY_STATE_RESTORE_PREP_FAILED = 'restore-prep-failed'
    DEPLOY_STATE_RESTORE_FAILED = 'restore-failed'
    [WARNING: Yellow icon]
    DEPLOY_STATE_PRE_DEPLOY = 'pre-deploy'
    DEPLOY_STATE_MIGRATING_DATA = 'migrating-data'
    DEPLOY_STATE_PRE_RESTORE = 'pre-restore'
    DEPLOY_STATE_RESTORING = 'restoring'
    [SUCCESS: Green icon]
    DEPLOY_STATE_INSTALLED = 'installed'
    DEPLOY_STATE_MIGRATED = 'migrated'
    
    (These deploy state is obtained from
    distributedcloud/dcmanager/common/consts.py)
    
    Closes-Bug: 1890503
    
    Signed-off-by: Takamasa Takenaka <takamasa.takenaka@windriver.com>
    Change-Id: I4bf6c98431639b85a5f6dc7dd40a598bd3cc3f88

commit 8e87f2c513eb492ab5f2b699eb875a47114b6e6c
Author: Jose Infanzon <jose.infanzon@windriver.com>
Date:   Fri Apr 9 15:33:08 2021 -0300

Horizon add of OSD journal ignores SIZE
    
    Set journal size. Truncate non integer values.
    
    Closes-Bug: 1907269
    
    Signed-off-by: Jose Infanzon <jose.infanzon@windriver.com>
    Change-Id: I125f93be452e3b95bd7d7bb040fb7d665d0d0f8d

commit 84b5d7979f0a8fe0409302c426d35e441afcb71e
Author: Teresa Ho <teresa.ho@windriver.com>
Date:   Mon Mar 15 22:11:15 2021 -0400

Add bond option primary_reselect in GUI
    
    This update is to allow the option primary_reselect configurable for
    aggregated ethernet interface. The option is to prevent reverting
    between the primary slave and other slaves.
    
    Story: 2008706
    Task: 42058
    Depends-On: https://review.opendev.org/c/starlingx/config/+/780863
    
    Change-Id: I6783542168518755b8148c8a4ee5dd58d4a7e703
    Signed-off-by: Teresa Ho <teresa.ho@windriver.com>

commit f097bc14a08a0a0b306474945cabf642f1927149
Author: Tyler Smith <tyler.smith@windriver.com>
Date:   Fri Feb 5 17:49:00 2021 -0500

starlingx_dashboard should enable optional security settings
    
    - Turning on ENFORCE_PASSWORD_CHECK to require admin password re-entry
      when updating password
    - Turning on disable_password_reveal so that passwords cannot be revealed
      in password fields
    
    Closes-bug: 1914831
    Signed-off-by: Tyler Smith <tyler.smith@windriver.com>
    Change-Id: I630839fd2b39ea3a9fca2b2e1d827404bc50f77d

commit 481e80014ce616981e7b2cdd849c207ff280d294
Author: Litao Gao <litao.gao@windriver.com>
Date:   Thu Jan 7 01:42:27 2021 -0500

Single NIC support in GUI
    
    This feature is to allow user to configure CaaS and Data networks
    to single VF capable NIC during ‘Host interface configuration’
    before unlock operation.
    
    This commit modify web gui to allow end use to create ethernet
    subinterface over pci-sriov class ethernet interface.
    And also activate delete button for the ethernet interface which
    uses other interface.
    
    Story: 2008470
    Task: 41507
    
    Depends-On: https://review.opendev.org/c/starlingx/config/+/770132
    Signed-off-by: Litao Gao <litao.gao@windriver.com>
    Change-Id: Ic1cf49a32ea7caefb2de91e32c322b9c29422dbf

commit 927bee2d66eff3e224b356cee72d5fb2bccbcaa8
Author: albailey <Al.Bailey@windriver.com>
Date:   Mon Dec 21 10:59:14 2020 -0600

Use newer flake8 to run on ubuntu-focal Zuul machines
    
    flake8 2.5.5  fails on ubuntu-focal zuul machines running python3.8
    with the following error:
    AttributeError: 'FlakesChecker' object has no attribute 'CONSTANT'
    
    The update updates the version constraint to use newer flake8.
    
    pylint has been switched to running in python3 which has challenges
    related to the new pip resolver. The correct version of Django cannot
    be specified with the new resolver so the pylint errors caused
    by the newer version are suppressed for now.
    
    The docs targets for tox use their own install_command which
    does not include an upper constraint.
    
    A non ascii character was removed from the tox.ini file which
    prevented running tox on some ubuntu envs.
    
    Partial-Bug: 1895054
    Signed-off-by: albailey <Al.Bailey@windriver.com>
    Change-Id: Ic6a50c2ecf2a654fd883ed92fc305336741d4303

commit ed99d3960c67c6671a2f55b4bf2e6756128f9f4e
Author: Yuxing Jiang <yuxing.jiang@windriver.com>
Date:   Fri Aug 28 21:36:27 2020 -0400

Align OS_AUTH_URL in admin-openrc.sh
    
    The admin-openrc.sh can be downloaded from Horizon. This file can be
    used for authentication as sysadmin in system controllers. However,
    as the keystone public endpoint of region SystemController differs
    from the RegionOne. If a user download an RC file of SystemController
    and use the OS_AUTH_URL to authenticate, a HTTP 401 Error(The request
    you have made requires authentication) will be produced.
    
    In the upstream project, the OS_AUTH_URL is got according to the
    "Central Cloud Region" and shown in the view. This commit overwrites
    the openrc template, aligns the OS_AUTH_URL in the admin-openrc.sh of
    region SystemController with the RegionOne by port replacement. As it
    is a specific usage for starlingx rather than a generic usage, it will
    not go to the Horizon project.
    
    Test:
    1. Choose the "Central Cloud Region" in Horizon as "SystemController"
    2. Download the admin-openrc.sh via API Access -> Download OpenStack
    RC File
    3. Check the OS_AUTH_URL is pointing to then keystone pulic endpoint
    of RegionOne
    4. Check the keystone pulic endpoint is still correct in the web page
    
    Change-Id: I1f43f79364f5cc7bff382c1ae90a7f8f801abedb
    Closes-Bug: 1892090
    Signed-off-by: Yuxing Jiang <yuxing.jiang@windriver.com>

commit f18c0eaa83cd47d13d477acd2a48eb87908a845d
Author: Tyler Smith <tyler.smith@windriver.com>
Date:   Thu Aug 6 17:07:25 2020 -0400

Internal server error in gui when subcloud goes down
    
    - Adding checks to prevent user navigating to an offline subcloud
    - Adding a default service region when in DC mode to remove the
      possibility of a fresh user being defaulted to logging in to an
      offline subcloud
    
    Change-Id: Ia9d37ad1f977df7e08377677186cd59eae336b1c
    Closes-bug: 1890715
    Signed-off-by: Tyler Smith <tyler.smith@windriver.com>

commit 959427c8bd1c8d074f46ba5be310850e2ee817ae
Author: Kristine Bujold <kristine.bujold@windriver.com>
Date:   Mon Jul 20 15:38:38 2020 -0400

Fix managing/unmanaging subclouds
    
    Change that were done in https://opendev.org/starlingx/distcloud-client
    /commit/dd05eccb0826ad4047201d361abea20b7a788bf5 changed the
    dcmanagerclient update_subcloud API and caused the call to the API
    from Horizon to break.
    
    Closes-Bug: 1888301
    
    Change-Id: Ia009f625a402c5480e669f61d1630f7dc3ba589f
    Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>

commit 73b77d5d526af66bed2c41975635febedf685162
Author: Kristine Bujold <kristine.bujold@windriver.com>
Date:   Mon Jun 29 11:05:40 2020 -0400

Update restrictions on Physical Volume
    
    Physical Volume had restrictions which were no longer valid.
    
    Closes-Bug: 1860139
    Change-Id: I89e6c5aa429875171fc7e083e35057b61d920b95
    Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>

commit 4ef018429f244a835d126d77668fe06dc695b47e
Author: Kristine Bujold <kristine.bujold@windriver.com>
Date:   Tue Jun 30 11:57:58 2020 -0400

Fix Add Host button
    
    Fix bug with “Add Host" under "Admin/Platform/Host Inventory".
    
    Closes-Bug: 1862069
    Change-Id: If804422832828db5bf5f7003589acd5388297895
    Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>

commit c8a05a9960f2a2c047b937822451f69164f8187e
Author: Kristine Bujold <kristine.bujold@windriver.com>
Date:   Tue Jun 23 16:50:58 2020 -0400

Fix logging errors
    
    An invalid attribute was being set for HiddenInput
    
    Closes-Bug: 1884837
    Change-Id: I8ab337bf5f6124174ad394961d6bb136c3d06aa1
    Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>

commit 798b0c9f3f40335163c8f52e3f2eadc492221c33
Author: albailey <Al.Bailey@windriver.com>
Date:   Thu Jun 18 08:14:22 2020 -0500

Fix DC patch strategy commands in Horizon
    
    The patch strategy classes in DC client were refactored
    to support multiple update types by
    https://review.opendev.org/#/c/720457/
    
    The Horizon code now uses the updated classes and methods.
    
    Change-Id: Idf0711fcd1c4341c6b5599c2414ba49868117cb7
    Closes-Bug: 1883993
    Signed-off-by: albailey <Al.Bailey@windriver.com>

commit e1e3439059a1303e3e2f7b30cccdb0f80c2a6a59
Author: Kristine Bujold <kristine.bujold@windriver.com>
Date:   Tue Jun 9 11:32:50 2020 -0400

Prevent false negative user popups
    
    Checks were added to prevent false negative user pop ups to be raised.
    This could happen when a user is about to switch from the
    SystemController’s region to a subcloud. The error is caused by pending
    requests still in the queue from the SystemController’s.
    
    Closes-Bug: 1876792
    Change-Id: I54aeaeab61f9989015061382c16e80b569ed08bc
    Signed-off-by: Kristine Bujold <kristine.bujold@windriver.com>

commit 170ac040d2250ec5a26f2a39e4c7d5b49cfd6529
Author: Sharath Kumar K <sharath.kumar@intel.com>
Date:   Thu May 7 08:59:08 2020 +0200

Tox and Zuul job for the bandit code scan in stx/gui
    
    Setting up the bandit tool for the scanning of HIGH severity issues
    in the python codes under Starlingx/gui folder.
    Expecting this merge will enable zuul job for CI/CD of bandit scan.
    
    Configuration files:
    1. tox.ini for adding bandit environment and command.
    2. test-requirements.txt for adding bandit version.
    3. .zuul.yaml file for adding bandit job and configuring under
       check job to run code scan every time before code commit.
    
    Test:
    Run tox -e bandit command inside the fault folder to validate the
    bandit scan and result.
    
    Story: 2007541
    Task: 39683
    Depends-On: https://review.opendev.org/#/c/721294/
    
    Change-Id: I155c9f894f8b1d701f2c75e3e892e6b83a35b11e
    Signed-off-by: Sharath Kumar K <sharath.kumar@intel.com>

commit b4f16ab7e86a8cf9a75cd48a6a4cdb949835e065
Author: Andreas Jaeger <aj@suse.com>
Date:   Thu Jun 4 14:20:59 2020 +0200

Switch to newer openstackdocstheme and reno versions
    
    Switch to openstackdocstheme 2.2.1 and reno 3.1.0 versions. Using
    these versions will allow especially:
    * Linking from HTML to PDF document
    * Allow parallel building of documents
    * Fix some rendering problems
    
    Update Sphinx version as well.
    
    Disable openstackdocs_auto_name to use 'project' variable as name.
    
    Change pygments_style to 'native' since old theme version always used
    'native' and the theme now respects the setting and using 'sphinx' can
    lead to some strange rendering.
    
    Remove docs requirements from test-requirements.txt, they are not needed
    during install or test but only for docs building.
    
    openstackdocstheme renames some variables, so follow the renames
    before the next release removes them. A couple of variables are also
    not needed anymore, remove them.
    
    See also
    http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html
    
    Change-Id: Id86f483b405c8fbc74b89ac085076b55e461d417

tags:

added: in-f-centos8

StarlingX

starlingx_dashboard should enable optional security settings

Bug Description

Other bug subscribers

Remote bug watches