Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1678433

Summary: Installer does not secure vsphere.conf
Product: OpenShift Container Platform Reporter: tmlapp
Component: InstallerAssignee: Scott Dodson <sdodson>
Installer sub component: openshift-ansible QA Contact: Liang Xia <lxia>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: unspecified CC: gpei
Version: 3.11.0   
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
The permissions on vsphere cloud configuration file have been restricted to prevent access from other users.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-03 13:08:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description tmlapp 2019-02-18 18:29:20 UTC 
Description of problem:
The openshift-ansible installer does not secure the vsphere.conf cloudprovider config file in the template task when installed.

Version-Release number of the following components:
rpm -q openshift-ansible:
openshift-ansible-3.11.51-2.git.0.51c90a3.el7.noarch

How reproducible:

Steps to Reproduce:
1. Install openshift-ansible
2. Configure vsphere cloudprovider
3. deploy openshift


Actual results:
vsphere.conf cloud provider config file is mode 0644

Expected results:
vsphere.conf should not be world readable as it contains user credentials to manipulate vsphere config.

Additional info:
This has been patched upstream
https://github.com/openshift/openshift-ansible/pull/11155

Please merge and backport.
Thanks.
Comment 1 Scott Dodson 2019-02-18 20:07:03 UTC 
Referenced PR has merged and is in openshift-ansible-3.11.84-1 and later.
Comment 3 Liang Xia 2019-02-25 06:59:12 UTC 
# oc version ; ls -lh /etc/origin/cloudprovider/vsphere.conf 

oc v3.11.85
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

-rw-rw----. 1 root root 272 Feb 15 06:14 /etc/origin/cloudprovider/vsphere.conf
Comment 5 Scott Dodson 2019-05-03 13:08:49 UTC 
openshift-ansible-3.11.92-1.git.0.f2fade7.el7 included this fix