The 'Render keystone container definitions' task dumps admin password

Bug #1998181 reported by Takashi Kajinami
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Takashi Kajinami

Bug Description

Description
===========
The keystone_bootstrap container contains admin password in its environment.
It seems the task is dumping the password in a plain text.

2022-11-29 04:30:05.438717 | bc764e20-1106-f374-b952-00000000354f | CHANGED | Render keystone container definitions | standalone | item={'key': 'keystone_bootstrap', 'value': {... 'environment': {... 'OS_BOOTSTRAP_PASSWORD': 'kCSsx7m7pDNN3dviA3zuvCDYS', ...}}}

We should avoid dumping the password in ansible output.

Steps to reproduce
==================
* Deploy standalone
* Check ansible output

Expected result
===============
* Output does not contain the plain admin password

Actual result
=============
* Output contains the plain admin password

Environment
===========
* The issue was initially found in upstream CI job for master

Logs & Configs
==============
example:
https://383f815cbb29d6f672f6-2795398545b19f977a1f788bf64ebecb.ssl.cf1.rackcdn.com/865928/1/check/tripleo-ci-centos-9-standalone/e6ecf4a/logs/undercloud/home/zuul/standalone_deploy.log

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-ansible (master)
Changed in tripleo:
status: New → In Progress
Changed in tripleo:
importance: Undecided → High
assignee: nobody → Takashi Kajinami (kajinamit)
milestone: none → antelope-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/865941
Committed: https://opendev.org/openstack/tripleo-ansible/commit/449faf71a514237bbcff959cc81e0cf9310f7816
Submitter: "Zuul (22348)"
Branch: master

commit 449faf71a514237bbcff959cc81e0cf9310f7816
Author: Takashi Kajinami <email address hidden>
Date: Tue Nov 29 14:53:55 2022 +0900

    Do not dump detail of container definitions

    Some containers such as keystone_bootstrap contains secret information
    in the container definitions. We should not dump such details into
    ansible output.

    Closes-Bug: #1998181
    Change-Id: I6c98afc8e0d6822199001ffd9535575a4506b82d

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-ansible (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/876801

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-ansible (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/876801
Committed: https://opendev.org/openstack/tripleo-ansible/commit/00d74387482bc60b23bea5c5fd5c7f4e7c934c76
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 00d74387482bc60b23bea5c5fd5c7f4e7c934c76
Author: Takashi Kajinami <email address hidden>
Date: Tue Nov 29 14:53:55 2022 +0900

    Do not dump detail of container definitions

    Some containers such as keystone_bootstrap contains secret information
    in the container definitions. We should not dump such details into
    ansible output.

    Closes-Bug: #1998181
    Change-Id: I6c98afc8e0d6822199001ffd9535575a4506b82d
    (cherry picked from commit 449faf71a514237bbcff959cc81e0cf9310f7816)

tags: added: in-stable-zed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.