Bug 1566854 - paramertes in serviceinstance.automationbroker.io shouldn't be in plaintext
Summary: paramertes in serviceinstance.automationbroker.io shouldn't be in plaintext
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Service Broker
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.2.0
Assignee: Jesus M. Rodriguez
QA Contact: Zihan Tang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-13 06:00 UTC by Zihan Tang
Modified: 2019-06-17 21:23 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-17 21:23:26 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Zihan Tang 2018-04-13 06:00:30 UTC
Description of problem:
paramertes in serviceinstance.automationbroker.io shouldn't be in plaintext

Version-Release number of selected component (if applicable):
asb version : 1.2.5

How reproducible:
always

Steps to Reproduce:
1. provision a postgresql-apb
2. check the asb's CR serviceinstance.automationbroker.io 

Actual results:
the parameters in serviceinstance.automationbroker.io is in plaintext
[root@host-172-16-120-84 ~]# oc describe serviceinstance.automationbroker.io  ad564a7d-3ed9-11e8-a8d4-0a580a80000b
Name:         ad564a7d-3ed9-11e8-a8d4-0a580a80000b
Namespace:    openshift-ansible-service-broker
Labels:       <none>
Annotations:  <none>
API Version:  automationbroker.io/v1
Kind:         ServiceInstance
Metadata:
  Cluster Name:        
  Creation Timestamp:  2018-04-13T05:15:29Z
  Resource Version:    26949
  Self Link:           /apis/automationbroker.io/v1/namespaces/openshift-ansible-service-broker/serviceinstances/ad564a7d-3ed9-11e8-a8d4-0a580a80000b
  UID:                 aecde256-3ed9-11e8-ab72-fa163e702292
Spec:
  Binding I Ds:
  Bundle ID:  03b69500305d9859bb9440d9f9023784
  Context:
    Namespace:  test
    Plateform:  kubernetes
  Parameters:   {"_apb_last_requesting_user":"zitang","_apb_plan_id":"default","_apb_service_class_id":"03b69500305d9859bb9440d9f9023784","_apb_service_instance_id":"ad564a7d-3ed9-11e8-a8d4-0a580a80000b","mediawiki_admin_pass":"dddd","mediawiki_admin_user":"admin","mediawiki_db_schema":"mediawiki","mediawiki_site_lang":"en","mediawiki_site_name":"MediaWiki"}
Events:         <none>

Expected results:
the parameters especially username&password is not in plaintext

Additional info:

Comment 1 Michael Hrivnak 2018-04-18 18:12:01 UTC
While it may be surprising to see the data in plain text in this representation, for practical purposes the security of this data is not substantially different than if it were in a secret. RBAC guarantees that this data can only be seen by the users and groups listed below.

We do intend to move these parameters into secrets in the future to gain a slight incremental advantage, but we do not believe there is a problem today, nor is there an opportunity to substantially improve the security of how this data is stored.

####

$ oc adm policy who-can describe serviceinstance.automationbroker.io -n ansible-service-broker
Namespace: ansible-service-broker
Verb:      describe
Resource:  serviceinstances.automationbroker.io

Users:  admin
        system:admin
        system:serviceaccount:ansible-service-broker:asb
        system:serviceaccount:default:pvinstaller
        system:serviceaccount:kube-service-catalog:service-catalog-controller
        system:serviceaccount:kube-system:clusterrole-aggregation-controller

Groups: system:cluster-admins
        system:masters

Comment 5 Rob Szumski 2019-06-17 21:23:26 UTC
Due to reduced investment in Service Brokers/Ansible Service Broker, this feature request will not move forward at this time.


Note You need to log in before you can comment on or make changes to this bug.