Bug 1229302

Summary: /etc/puppet/hieradata/compute.yaml is world readable with plain text passwords
Product: Red Hat OpenStack Reporter: Attila Fazekas <afazekas>
Component: openstack-tripleo-puppet-elementsAssignee: James Slagle <jslagle>
Status: CLOSED ERRATA QA Contact: Attila Fazekas <afazekas>
Severity: unspecified Docs Contact:
Priority: high    
Version: DirectorCC: afazekas, calfonso, dmacpher, jruzicka, jslagle, mburns, ohochman, pbrady, rhel-osp-director-maint, rrosa, sbaker, sclewis, yeylon
Target Milestone: gaKeywords: Reopened, Triaged
Target Release: Director   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-puppet-elements-0.0.1-2 Doc Type: Bug Fix
Doc Text:
The os-apply-config command created /etc/puppet/hieradata with open permissions. The files in this directory contained passwords and tokens that could provide unauthorized access to the OpenStack installation. This fix sets /etc/puppet/hieradata as a root-owned directory with 0700 permissions. Only the root user can access /etc/puppet/hieradata, which provides a more secure installation.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-05 13:52:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 5 James Slagle 2015-07-07 20:31:22 UTC
i'm unable to reproduce this using the provided images from 2015-06-26

it should have been addressed by:
https://review.openstack.org/183509

Steve, I commented on the upstream review, but I don't think changing the umask from 077 to 0077 actually makes any difference.

I think this was fixed by Derek's earlier patch and that just hadn't made it into the image builds when this was first reported on 2015-06-08

Comment 6 James Slagle 2015-07-07 20:34:12 UTC
note that https://review.openstack.org/183509 was in the 0.0.1 release of tripleo-puppet-elements and built into openstack-tripleo-puppet-elements-0.0.1-2

Comment 7 Steve Baker 2015-07-08 00:03:01 UTC
Permissions on /etc/puppet/hieradata look good now on puddle 2015-07-02-1.

I have abandoned the upstream change.

Comment 8 James Slagle 2015-07-08 19:04:12 UTC
qe: please retest this and confirm permissions are 0700 on /etc/puppet/hieradata on the overcloud nodes

Comment 10 Attila Fazekas 2015-07-15 13:47:43 UTC
Now I created a deployment with http://rhos-release.virt.bos.redhat.com/mburns/2015-07-13.1/images/ .

The n-cpu node seams ok.
[heat-admin@overcloud-compute-0 ~]$ ls -ld /etc/puppet/hieradata/
drwx------. 2 root root 4096 Jul 15 09:09 /etc/puppet/hieradata/

Comment 11 Mike Burns 2015-07-15 13:55:41 UTC
Atilla -- we should mark this verified, not closed currentrelease.

Comment 12 Attila Fazekas 2015-07-21 14:18:24 UTC
os-refresh-config creates the directory with 700 at the first run,
but it does not changes the permission if the  directory already exists with wrong permission.

The directory does not exists on the base images.
So, If anyone has a system installed from the old images, he needs to change permissions manually, the newly installed systems expected to be ok.

Comment 14 errata-xmlrpc 2015-08-05 13:52:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1549