(stable/victoria and bellow) Sensitive values exposed in ansible.log

Bug #1918138 reported by Cédric Jeanneret on 2021-03-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Undecided
Cédric Jeanneret

Bug Description

When we use mistral for the deployment, an ansible.log file is created in a non-secure way, in a non-secured location:
#getfacl /var/lib/mistral/overcloud/ansible.log
# owner: 42430
# group: 42430
user::rw-
group::r--
other::r-- ========> This is concern.

A simple patch in tripleo-common/tripleo_common/actions/ansible.py can solve this specific right access: we'll need to create the file beforehand, and call os.chmod() on it in order to set it to 0640.

First reported as a private BZ at Red Hat (hence no link, sorry).

Revision history for this message
Cédric Jeanneret (cjeanner) wrote :
Changed in tripleo:
milestone: wallaby-3 → wallaby-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-common 13.2.0

This issue was fixed in the openstack/tripleo-common 13.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-common 12.4.4

This issue was fixed in the openstack/tripleo-common 12.4.4 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (stable/victoria)

Related fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/787181

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (stable/ussuri)

Related fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/787182

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/787183

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-common (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-common/+/786971

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/787181
Committed: https://opendev.org/openstack/tripleo-ansible/commit/fb2fd1a58bfbe216b630f276528b1f6d7addac76
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit fb2fd1a58bfbe216b630f276528b1f6d7addac76
Author: Brent Eagles <email address hidden>
Date: Mon Mar 8 10:16:26 2021 -0330

    Do not log ssh keys by default

    This patch adds a no_log clause to tasks that might dump ssh key
    information to the ansible logs on deployment. Logging can be re-enabled
    by setting hide_sensitive_logs to false.

    Conflicts:
        tripleo_ansible/roles/octavia_undercloud/tasks/main.yml

    Related-bug: #1918138
    Change-Id: I89dccbac7c450b16956edf6a136aed6f4a21214d
    (cherry picked from commit 06db51b27df1864078fa9950acb52e5976a3142c)

tags: added: in-stable-victoria
tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/787182
Committed: https://opendev.org/openstack/tripleo-ansible/commit/f87e93544ff7919df54b990b2e6e5b9e07479b67
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit f87e93544ff7919df54b990b2e6e5b9e07479b67
Author: Brent Eagles <email address hidden>
Date: Mon Mar 8 10:16:26 2021 -0330

    Do not log ssh keys by default

    This patch adds a no_log clause to tasks that might dump ssh key
    information to the ansible logs on deployment. Logging can be re-enabled
    by setting hide_sensitive_logs to false.

    Conflicts:
        tripleo_ansible/roles/octavia_undercloud/tasks/main.yml

    Related-bug: #1918138
    Change-Id: I89dccbac7c450b16956edf6a136aed6f4a21214d
    (cherry picked from commit 06db51b27df1864078fa9950acb52e5976a3142c)
    (cherry picked from commit fb2fd1a58bfbe216b630f276528b1f6d7addac76)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (stable/train)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/787183
Committed: https://opendev.org/openstack/tripleo-ansible/commit/2dc2e7c78b69e3dd679a0f4471bb3f7821b6bad0
Submitter: "Zuul (22348)"
Branch: stable/train

commit 2dc2e7c78b69e3dd679a0f4471bb3f7821b6bad0
Author: Brent Eagles <email address hidden>
Date: Mon Mar 8 10:16:26 2021 -0330

    Do not log ssh keys by default

    This patch adds a no_log clause to tasks that might dump ssh key
    information to the ansible logs on deployment. Logging can be re-enabled
    by setting hide_sensitive_logs to false.

    Conflicts:
        tripleo_ansible/roles/octavia_undercloud/tasks/main.yml

    Related-bug: #1918138
    Change-Id: I89dccbac7c450b16956edf6a136aed6f4a21214d
    (cherry picked from commit 06db51b27df1864078fa9950acb52e5976a3142c)
    (cherry picked from commit fb2fd1a58bfbe216b630f276528b1f6d7addac76)
    (cherry picked from commit f87e93544ff7919df54b990b2e6e5b9e07479b67)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-common (stable/train)

Reviewed: https://review.opendev.org/c/openstack/tripleo-common/+/786971
Committed: https://opendev.org/openstack/tripleo-common/commit/32e2249e41c637e8f6362a4d459b1418d2a3324e
Submitter: "Zuul (22348)"
Branch: stable/train

commit 32e2249e41c637e8f6362a4d459b1418d2a3324e
Author: Cédric Jeanneret <email address hidden>
Date: Mon Mar 8 14:35:55 2021 +0100

    [Victoria and bellow] Ensure rights on the ansible.log file

    When mistral starts the Ansible action, a log file is created runtime.
    But nothing takes care of its access right, leading to potential data
    leaks to unprivileged users (default mode is 0644).

    This patch creates the logfile beforehands, and sets the needed rights
    on it.

    Change-Id: Ica1b5c0a165cc06fac668513114eef2b4ba73f56
    Closes-Bug: #1918138
    (cherry picked from commit d485407159ea6cb2c7abf6d5788d85147f433996)
    (cherry picked from commit fdd5c0c09161c69975c0b62a02cbf256295c0c48)

Changed in tripleo:
milestone: wallaby-rc1 → xena-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/791036

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/791036
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/c65058889e5957c5c1b3c562d9244484abc94e79
Submitter: "Zuul (22348)"
Branch: master

commit c65058889e5957c5c1b3c562d9244484abc94e79
Author: Brent Eagles <email address hidden>
Date: Wed May 12 15:48:08 2021 -0230

    Do not log amphora ssh keys

    This patch adds a no_log clause to external_deploy tasks that might
    result in an SSH key getting logged.

    Change-Id: I2a38a48aabdc167134aee757cd5270af4c498c8d
    Related-Bug: #1918138

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-common 11.7.0

This issue was fixed in the openstack/tripleo-common 11.7.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers