Bug 1566854
| Summary: | paramertes in serviceinstance.automationbroker.io shouldn't be in plaintext | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Zihan Tang <zitang> |
| Component: | Service Broker | Assignee: | Jesus M. Rodriguez <jesusr> |
| Status: | CLOSED WONTFIX | QA Contact: | Zihan Tang <zitang> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3.10.0 | CC: | aos-bugs, chezhang, jiazha, jmatthew, rszumski, zhsun |
| Target Milestone: | --- | ||
| Target Release: | 4.2.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-17 21:23:26 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
While it may be surprising to see the data in plain text in this representation, for practical purposes the security of this data is not substantially different than if it were in a secret. RBAC guarantees that this data can only be seen by the users and groups listed below.
We do intend to move these parameters into secrets in the future to gain a slight incremental advantage, but we do not believe there is a problem today, nor is there an opportunity to substantially improve the security of how this data is stored.
####
$ oc adm policy who-can describe serviceinstance.automationbroker.io -n ansible-service-broker
Namespace: ansible-service-broker
Verb: describe
Resource: serviceinstances.automationbroker.io
Users: admin
system:admin
system:serviceaccount:ansible-service-broker:asb
system:serviceaccount:default:pvinstaller
system:serviceaccount:kube-service-catalog:service-catalog-controller
system:serviceaccount:kube-system:clusterrole-aggregation-controller
Groups: system:cluster-admins
system:masters
Due to reduced investment in Service Brokers/Ansible Service Broker, this feature request will not move forward at this time. |
Description of problem: paramertes in serviceinstance.automationbroker.io shouldn't be in plaintext Version-Release number of selected component (if applicable): asb version : 1.2.5 How reproducible: always Steps to Reproduce: 1. provision a postgresql-apb 2. check the asb's CR serviceinstance.automationbroker.io Actual results: the parameters in serviceinstance.automationbroker.io is in plaintext [root@host-172-16-120-84 ~]# oc describe serviceinstance.automationbroker.io ad564a7d-3ed9-11e8-a8d4-0a580a80000b Name: ad564a7d-3ed9-11e8-a8d4-0a580a80000b Namespace: openshift-ansible-service-broker Labels: <none> Annotations: <none> API Version: automationbroker.io/v1 Kind: ServiceInstance Metadata: Cluster Name: Creation Timestamp: 2018-04-13T05:15:29Z Resource Version: 26949 Self Link: /apis/automationbroker.io/v1/namespaces/openshift-ansible-service-broker/serviceinstances/ad564a7d-3ed9-11e8-a8d4-0a580a80000b UID: aecde256-3ed9-11e8-ab72-fa163e702292 Spec: Binding I Ds: Bundle ID: 03b69500305d9859bb9440d9f9023784 Context: Namespace: test Plateform: kubernetes Parameters: {"_apb_last_requesting_user":"zitang","_apb_plan_id":"default","_apb_service_class_id":"03b69500305d9859bb9440d9f9023784","_apb_service_instance_id":"ad564a7d-3ed9-11e8-a8d4-0a580a80000b","mediawiki_admin_pass":"dddd","mediawiki_admin_user":"admin","mediawiki_db_schema":"mediawiki","mediawiki_site_lang":"en","mediawiki_site_name":"MediaWiki"} Events: <none> Expected results: the parameters especially username&password is not in plaintext Additional info: