tripleo

(stable/victoria and bellow) Sensitive values exposed in ansible.log

Bug #1918138 reported by Cédric Jeanneret
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Undecided
Cédric Jeanneret
tripleo xena-3

Bug Description

When we use mistral for the deployment, an ansible.log file is created in a non-secure way, in a non-secured location:
#getfacl /var/lib/mistral/overcloud/ansible.log
# owner: 42430
# group: 42430
user::rw-
group::r--
other::r-- ========> This is concern.

A simple patch in tripleo-common/tripleo_common/actions/ansible.py can solve this specific right access: we'll need to create the file beforehand, and call os.chmod() on it in order to set it to 0640.

First reported as a private BZ at Red Hat (hence no link, sorry).

Revision history for this message
Cédric Jeanneret (cjeanner) wrote :

https://review.opendev.org/c/openstack/tripleo-common/+/779257

Marios Andreou (marios-b)
Changed in tripleo:
milestone: wallaby-3 → wallaby-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-common 13.2.0

This issue was fixed in the openstack/tripleo-common 13.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-common 12.4.4

This issue was fixed in the openstack/tripleo-common 12.4.4 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (stable/victoria)

Related fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/787181

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (stable/ussuri)

Related fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/787182

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/787183

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-common (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-common/+/786971

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/787181
Committed: https://opendev.org/openstack/tripleo-ansible/commit/fb2fd1a58bfbe216b630f276528b1f6d7addac76
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit fb2fd1a58bfbe216b630f276528b1f6d7addac76
Author: Brent Eagles <email address hidden>
Date: Mon Mar 8 10:16:26 2021 -0330

    Do not log ssh keys by default

    This patch adds a no_log clause to tasks that might dump ssh key
    information to the ansible logs on deployment. Logging can be re-enabled
    by setting hide_sensitive_logs to false.

    Conflicts:
        tripleo_ansible/roles/octavia_undercloud/tasks/main.yml

    Related-bug: #1918138
    Change-Id: I89dccbac7c450b16956edf6a136aed6f4a21214d
    (cherry picked from commit 06db51b27df1864078fa9950acb52e5976a3142c)

tags: added: in-stable-victoria
tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/787182
Committed: https://opendev.org/openstack/tripleo-ansible/commit/f87e93544ff7919df54b990b2e6e5b9e07479b67
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit f87e93544ff7919df54b990b2e6e5b9e07479b67
Author: Brent Eagles <email address hidden>
Date: Mon Mar 8 10:16:26 2021 -0330

    Do not log ssh keys by default

    This patch adds a no_log clause to tasks that might dump ssh key
    information to the ansible logs on deployment. Logging can be re-enabled
    by setting hide_sensitive_logs to false.

    Conflicts:
        tripleo_ansible/roles/octavia_undercloud/tasks/main.yml

    Related-bug: #1918138
    Change-Id: I89dccbac7c450b16956edf6a136aed6f4a21214d
    (cherry picked from commit 06db51b27df1864078fa9950acb52e5976a3142c)
    (cherry picked from commit fb2fd1a58bfbe216b630f276528b1f6d7addac76)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (stable/train)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/787183
Committed: https://opendev.org/openstack/tripleo-ansible/commit/2dc2e7c78b69e3dd679a0f4471bb3f7821b6bad0
Submitter: "Zuul (22348)"
Branch: stable/train

commit 2dc2e7c78b69e3dd679a0f4471bb3f7821b6bad0
Author: Brent Eagles <email address hidden>
Date: Mon Mar 8 10:16:26 2021 -0330

    Do not log ssh keys by default

    This patch adds a no_log clause to tasks that might dump ssh key
    information to the ansible logs on deployment. Logging can be re-enabled
    by setting hide_sensitive_logs to false.

    Conflicts:
        tripleo_ansible/roles/octavia_undercloud/tasks/main.yml

    Related-bug: #1918138
    Change-Id: I89dccbac7c450b16956edf6a136aed6f4a21214d
    (cherry picked from commit 06db51b27df1864078fa9950acb52e5976a3142c)
    (cherry picked from commit fb2fd1a58bfbe216b630f276528b1f6d7addac76)
    (cherry picked from commit f87e93544ff7919df54b990b2e6e5b9e07479b67)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-common (stable/train)

Reviewed: https://review.opendev.org/c/openstack/tripleo-common/+/786971
Committed: https://opendev.org/openstack/tripleo-common/commit/32e2249e41c637e8f6362a4d459b1418d2a3324e
Submitter: "Zuul (22348)"
Branch: stable/train

commit 32e2249e41c637e8f6362a4d459b1418d2a3324e
Author: Cédric Jeanneret <email address hidden>
Date: Mon Mar 8 14:35:55 2021 +0100

    [Victoria and bellow] Ensure rights on the ansible.log file

    When mistral starts the Ansible action, a log file is created runtime.
    But nothing takes care of its access right, leading to potential data
    leaks to unprivileged users (default mode is 0644).

    This patch creates the logfile beforehands, and sets the needed rights
    on it.

    Change-Id: Ica1b5c0a165cc06fac668513114eef2b4ba73f56
    Closes-Bug: #1918138
    (cherry picked from commit d485407159ea6cb2c7abf6d5788d85147f433996)
    (cherry picked from commit fdd5c0c09161c69975c0b62a02cbf256295c0c48)

Marios Andreou (marios-b)
Changed in tripleo:
milestone: wallaby-rc1 → xena-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/791036

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/791036
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/c65058889e5957c5c1b3c562d9244484abc94e79
Submitter: "Zuul (22348)"
Branch: master

commit c65058889e5957c5c1b3c562d9244484abc94e79
Author: Brent Eagles <email address hidden>
Date: Wed May 12 15:48:08 2021 -0230

    Do not log amphora ssh keys

    This patch adds a no_log clause to external_deploy tasks that might
    result in an SSH key getting logged.

    Change-Id: I2a38a48aabdc167134aee757cd5270af4c498c8d
    Related-Bug: #1918138

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-common 11.7.0

This issue was fixed in the openstack/tripleo-common 11.7.0 release.

Marios Andreou (marios-b)
Changed in tripleo:
milestone: xena-1 → xena-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/801499

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/ussuri)

Related fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/801500

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/victoria)

Related fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/801501

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/wallaby)

Related fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/801502

Marios Andreou (marios-b)
Changed in tripleo:
milestone: xena-2 → xena-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/801502
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/806fd73f20596ddc5c276f0d4e1d2c96dc02b913
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 806fd73f20596ddc5c276f0d4e1d2c96dc02b913
Author: Brent Eagles <email address hidden>
Date: Wed May 12 15:48:08 2021 -0230

    Do not log amphora ssh keys

    This patch adds a no_log clause to external_deploy tasks that might
    result in an SSH key getting logged.

    Change-Id: I2a38a48aabdc167134aee757cd5270af4c498c8d
    Related-Bug: #1918138
    (cherry picked from commit c65058889e5957c5c1b3c562d9244484abc94e79)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/801501
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/b19cfcb43195a0653d5952c7d1fee212e0744852
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit b19cfcb43195a0653d5952c7d1fee212e0744852
Author: Brent Eagles <email address hidden>
Date: Wed May 12 15:48:08 2021 -0230

    Do not log amphora ssh keys

    This patch adds a no_log clause to external_deploy tasks that might
    result in an SSH key getting logged.

    Change-Id: I2a38a48aabdc167134aee757cd5270af4c498c8d
    Related-Bug: #1918138
    (cherry picked from commit c65058889e5957c5c1b3c562d9244484abc94e79)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/801500
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/8f79482b4196de6e6700e2f877ca0adc444d1a98
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit 8f79482b4196de6e6700e2f877ca0adc444d1a98
Author: Brent Eagles <email address hidden>
Date: Wed May 12 15:48:08 2021 -0230

    Do not log amphora ssh keys

    This patch adds a no_log clause to external_deploy tasks that might
    result in an SSH key getting logged.

    Change-Id: I2a38a48aabdc167134aee757cd5270af4c498c8d
    Related-Bug: #1918138
    (cherry picked from commit c65058889e5957c5c1b3c562d9244484abc94e79)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/train)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/801499
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/5f91334bd83306260a97353b47b1c57a2c1772f9
Submitter: "Zuul (22348)"
Branch: stable/train

commit 5f91334bd83306260a97353b47b1c57a2c1772f9
Author: Brent Eagles <email address hidden>
Date: Wed May 12 15:48:08 2021 -0230

    Do not log amphora ssh keys

    This patch adds a no_log clause to external_deploy tasks that might
    result in an SSH key getting logged.

    Change-Id: I2a38a48aabdc167134aee757cd5270af4c498c8d
    Related-Bug: #1918138
    (cherry picked from commit c65058889e5957c5c1b3c562d9244484abc94e79)

Cédric Jeanneret (cjeanner)
Changed in tripleo:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.