DescriptionMaciej Relewicz
2022-09-02 14:55:48 UTC
Description of problem:
there is a file:
(undercloud) [stack@undercloud ~]$ ls -lah /etc/openstack/clouds.yaml
-rw-r--r--. 1 root root 582 Aug 22 11:41 /etc/openstack/clouds.yaml
which consists plaintext passwords to undercloud and overcloud clouds and it can be read by anyone.
it comes from
sudo grep -r tripleo_keystone_resources_clouds_file_path /usr/
/usr/share/ansible/roles/tripleo-keystone-resources/defaults/main.yml:tripleo_keystone_resources_clouds_file_path: /etc/openstack/clouds.yaml
/usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml:- name: "Check if {{ tripleo_keystone_resources_clouds_file_path }} exists"
/usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml: path: "{{ tripleo_keystone_resources_clouds_file_path }}"
/usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml:- name: "Create empty {{ tripleo_keystone_resources_clouds_file_path }} if it does not exist"
/usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml: dest: "{{ tripleo_keystone_resources_clouds_file_path }}"
/usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml:- name: "Configure {{ tripleo_keystone_resources_clouds_file_path }}"
/usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml: tripleo_config_dest: "{{ tripleo_keystone_resources_clouds_file_path }}"
/usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml: tripleo_config_src: "{{ tripleo_keystone_resources_clouds_file_path }}"
Version-Release number of selected component (if applicable):
How reproducible:
always
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
File permission was changed as expected:
[stack@undercloud-0 ~]$ ls -lah /etc/openstack/clouds.yaml
-rw-------. 1 root root 595 Oct 6 13:45 /etc/openstack/clouds.yaml
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Important: Red Hat OpenStack Platform (tripleo-ansible) security update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2022:6969
Description of problem: there is a file: (undercloud) [stack@undercloud ~]$ ls -lah /etc/openstack/clouds.yaml -rw-r--r--. 1 root root 582 Aug 22 11:41 /etc/openstack/clouds.yaml which consists plaintext passwords to undercloud and overcloud clouds and it can be read by anyone. it comes from sudo grep -r tripleo_keystone_resources_clouds_file_path /usr/ /usr/share/ansible/roles/tripleo-keystone-resources/defaults/main.yml:tripleo_keystone_resources_clouds_file_path: /etc/openstack/clouds.yaml /usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml:- name: "Check if {{ tripleo_keystone_resources_clouds_file_path }} exists" /usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml: path: "{{ tripleo_keystone_resources_clouds_file_path }}" /usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml:- name: "Create empty {{ tripleo_keystone_resources_clouds_file_path }} if it does not exist" /usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml: dest: "{{ tripleo_keystone_resources_clouds_file_path }}" /usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml:- name: "Configure {{ tripleo_keystone_resources_clouds_file_path }}" /usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml: tripleo_config_dest: "{{ tripleo_keystone_resources_clouds_file_path }}" /usr/share/ansible/roles/tripleo-keystone-resources/tasks/clouds.yml: tripleo_config_src: "{{ tripleo_keystone_resources_clouds_file_path }}" Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: