tripleo

"Check password for Keystone user" task dumps raw password in output

Bug #1998158 reported by Takashi Kajinami on 2022-11-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Takashi Kajinami	tripleo antelope-1

Bug Description

Description
===========
Currently the "Check password for Keystone user" task dumps raw password strings in case the user is not yet created (or has a different password).

2022-11-28 16:08:38.471435 | fa163e7e-724d-ab58-6e4c-000000004537 | FATAL | Check password of Keystone user | undercloud | item=cinder | error={"ansible_loop_var": "tripleo_keystone_resources_data", ..., "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1, "tripleo_keystone_resources_data": {"cinder": {"password": "d5bsb9TKXiOFO4XHJb2XYbra4", "roles": ["admin", "service"]}}}

We should hide such sensitive information from ansible log.

Note that this task was added recently by
https://review.opendev.org/c/openstack/tripleo-ansible/+/862372

Steps to reproduce
==================
* Deploy standalone
* See deployment output

Expected result
===============
* Output does not contain the raw password string

Actual result
=============
* Output contains the raw password string

Environment
===========
N/A

Logs & Configs
==============
Example:
https://d1079d1c172c6ec8daf9-8011a2266d21f0c09baf1c83d6d5002e.ssl.cf2.rackcdn.com/856228/4/check/tripleo-ci-centos-9-standalone/e4d5674/logs/undercloud/home/zuul/standalone_deploy.log

See original description

Tags:

Takashi Kajinami (kajinamit) on 2022-11-29

description:	updated
Changed in tripleo:
importance:	Undecided → High
status:	New → Triaged
assignee:	nobody → Takashi Kajinami (kajinamit)
milestone:	none → antelope-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-11-29: Fix proposed to tripleo-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/865928

Changed in tripleo:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-11-29: Fix merged to tripleo-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/865928
Committed: https://opendev.org/openstack/tripleo-ansible/commit/fc758a2fbdda193b0a161bf4de36ffde5df789f6
Submitter: "Zuul (22348)"
Branch: master

commit fc758a2fbdda193b0a161bf4de36ffde5df789f6
Author: Takashi Kajinami <email address hidden>
Date: Tue Nov 29 10:55:08 2022 +0900

Hide output which can contain password strings

    The change I68a89e413b7c3eecb747386998bd36314250384b introduced
    the task to check whether the password is valid but this task dumps
    a raw password string in case password authentication failed for some
    reason (eg. the user is not yet created).

This change ensures the output is hidden, unless users explicitly
enable sensitive logs.

Closes-Bug: #1998158
Change-Id: I3214109f4f75620abc25d48db86179a8a411ccc7

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-11-29: Fix proposed to tripleo-ansible (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/865903

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-12-12: Fix proposed to tripleo-ansible (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/867157

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-12-12: Fix proposed to tripleo-ansible (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/867192

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-12-12: Fix merged to tripleo-ansible (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/865903
Committed: https://opendev.org/openstack/tripleo-ansible/commit/0eb136ebdf9714139783083911a6f47de020930e
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 0eb136ebdf9714139783083911a6f47de020930e
Author: Takashi Kajinami <email address hidden>
Date: Tue Nov 29 10:55:08 2022 +0900

Hide output which can contain password strings

This change ensures the output is hidden, unless users explicitly
enable sensitive logs.

    Closes-Bug: #1998158
    Change-Id: I3214109f4f75620abc25d48db86179a8a411ccc7
    (cherry picked from commit fc758a2fbdda193b0a161bf4de36ffde5df789f6)

tags:

added: in-stable-zed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-12-12: Fix included in openstack/tripleo-ansible 6.0.0

This issue was fixed in the openstack/tripleo-ansible 6.0.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-01-11: Fix merged to tripleo-ansible (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/867157
Committed: https://opendev.org/openstack/tripleo-ansible/commit/f566c54c3513f24c2501bfb295b526384efc99e9
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit f566c54c3513f24c2501bfb295b526384efc99e9
Author: Takashi Kajinami <email address hidden>
Date: Tue Nov 29 10:55:08 2022 +0900

Hide output which can contain password strings

This change ensures the output is hidden, unless users explicitly
enable sensitive logs.

    Closes-Bug: #1998158
    Change-Id: I3214109f4f75620abc25d48db86179a8a411ccc7
    (cherry picked from commit fc758a2fbdda193b0a161bf4de36ffde5df789f6)
    (cherry picked from commit 0eb136ebdf9714139783083911a6f47de020930e)