Bug 1872322

Summary: Ironic conductor log displays BMC credentials in plain text
Product: OpenShift Container Platform Reporter: rlopez
Component: Bare Metal Hardware ProvisioningAssignee: Dmitry Tantsur <dtantsur>
Bare Metal Hardware Provisioning sub component: ironic QA Contact: Polina Rabinovich <prabinov>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: beth.white, bfournie, pablo.iranzo, prabinov, rpittau
Version: 4.6Keywords: Triaged
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ironic-container-v4.6.0-202008290042 Doc Type: Bug Fix
Doc Text:
The ironic-conductor container logs no longer contain BMC passwords when using Redfish with session authentication.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:32:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description rlopez 2020-08-25 13:52:59 UTC 
Description of problem:

Attempting an installation of IPI on BM using idrac-redfish for Dell servers produced in the logs a POST command with the BMC credentials in plain text. I scrubbed the data below but wanted to show what I see in the logs



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Install IPI on BM latest 4.6 nightly (4.6.0-0.nightly-2020-08-24-100004)


2020-08-25 13:07:14.556 1 DEBUG sushy.connector [req-16dbbd70-ad05-44ef-940f-e56279abf7f1 - - - - -] HTTP request: POST https://<server>/redfish/v1/SessionService/Sessions; headers: {'X-Auth-Token': None, 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': 'password'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:99[00m
/usr/lib/python3.6/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings



A patch has been created by Dmitry: https://review.opendev.org/#/c/747951/
Comment 1 Bob Fournier 2020-09-01 12:00:28 UTC 
See update on tagged package in https://bugzilla.redhat.com/show_bug.cgi?id=1872341.  Fix has been merged and pkg has been tagged and is available in ironic-container-v4.6.0-202008290042.p0 (https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1300877).
Comment 4 Polina Rabinovich 2020-09-10 11:57:13 UTC 
Version - 4.6.0-0.nightly-2020-09-10-054902

From bootstrap: 

2020-09-10 10:47:12.664 1 DEBUG sushy.connector [req-d7384c3a-5e60-49a2-9f0f-06f654ab48e6 - - - - -] HTTP request: POST https://10.46.2.222/redfish/v1/SessionService/Sessions/; headers: {'X-Auth-Token': '***', 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': '***'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:102
2020-09-10 10:47:12.776 1 DEBUG sushy.connector [req-9380b505-49cb-4d11-ba1b-afa5ce46da64 - - - - -] HTTP request: POST https://10.46.2.221/redfish/v1/SessionService/Sessions/; headers: {'X-Auth-Token': '***', 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': '***'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:102
2020-09-10 10:47:12.780 1 DEBUG sushy.connector [req-9e418acc-0470-4062-b66d-c33d37302966 - - - - -] HTTP request: POST https://10.46.2.220/redfish/v1/SessionService/Sessions/; headers: {'X-Auth-Token': '***', 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': '***'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:102

From master ironic:

2020-09-10 11:41:38.350 1 DEBUG sushy.connector [req-551557e5-fe4e-4677-9670-925effa48857 ironic-user - - - -] HTTP request: POST https://10.46.2.224/redfish/v1/SessionService/Sessions/; headers: {'X-Auth-Token': '***', 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': '***'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:102
2020-09-10 11:41:38.445 1 DEBUG sushy.connector [req-ef4e24ef-fe36-43f9-ab50-0fdaa4cb6f36 ironic-user - - - -] HTTP request: POST https://10.46.2.229/redfish/v1/SessionService/Sessions/; headers: {'X-Auth-Token': '***', 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': '***'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:102
2020-09-10 11:41:38.689 1 DEBUG sushy.connector [req-6a225e42-7574-4278-b655-59fdaba29a3d ironic-user - - - -] HTTP request: POST https://10.46.2.223/redfish/v1/SessionService/Sessions/; headers: {'X-Auth-Token': '***', 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': '***'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:102
2020-09-10 11:41:39.057 1 DEBUG sushy.connector [req-dce70684-32a9-42f7-a5ee-66238bf0f54f ironic-user - - - -] HTTP request: POST https://10.46.2.222/redfish/v1/SessionService/Sessions/; headers: {'X-Auth-Token': '***', 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': '***'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:102
2020-09-10 11:41:39.351 1 DEBUG sushy.connector [req-3b5cf3a9-5b92-4038-9522-585ffc502b19 ironic-user - - - -] HTTP request: POST https://10.46.2.230/redfish/v1/SessionService/Sessions/; headers: {'X-Auth-Token': '***', 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': '***'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:102
2020-09-10 11:41:39.405 1 DEBUG sushy.connector [req-70d88aca-da02-48b6-acb7-426ac0c1c494 ironic-user - - - -] HTTP request: POST https://10.46.2.221/redfish/v1/SessionService/Sessions/; headers: {'X-Auth-Token': '***', 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': '***'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:102
2020-09-10 11:41:40.128 1 DEBUG sushy.connector [req-b148ccfa-f129-47d3-a759-f09006341166 ironic-user - - - -] HTTP request: POST https://10.46.2.220/redfish/v1/SessionService/Sessions/; headers: {'X-Auth-Token': '***', 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': '***'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:
Comment 6 errata-xmlrpc 2020-10-27 16:32:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196