1724935 – changes required to templates to remove default values from jwt section of cofig json

Bug 1724935 - changes required to templates to remove default values from jwt section of cofig json

Summary: changes required to templates to remove default values from jwt section of co...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	cns-ansible
Sub Component:
Version:	ocs-3.11
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	OCS 3.11.z Batch Update 4
Assignee:	John Mulligan
QA Contact:	RamaKasturi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1701838 1726384
TreeView+	depends on / blocked

Reported:	2019-06-28 06:47 UTC by RamaKasturi
Modified:	2020-02-13 05:21 UTC (History)
CC List:	6 users (show)
Fixed In Version:	openshift-ansible-3.11.128-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1726384 (view as bug list)
Environment:
Last Closed:	2020-02-13 05:21:57 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description RamaKasturi 2019-06-28 06:47:43 UTC

Description of problem:

Hit this issue while verifying bug https://bugzilla.redhat.com/show_bug.cgi?id=1701838#c21


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install OCS3.11.4 bits
2. Remove heketi_admin, user key from env variables from heketi dc


Actual results:
Heketi pod gets respinned but do not throw any error since the auth values are missing from the dc.



Expected results:
3. heketi pod will get respinned automatically and you should see heketi pod fails to restart with error message message indicating that authentication parameters are missing.

Additional info:


Decoding the base64 shows the following config json:
{
        "_port_comment": "Heketi Server Port Number",
        "port" : "8080",

        "_use_auth": "Enable JWT authorization. Please enable for deployment",
        "use_auth" : false,

        "_jwt" : "Private keys for access",
        "jwt" : {
                "_admin" : "Admin has access to all APIs",
                "admin" : {
                        "key" : "My Secret"
                },
                "_user" : "User only has access to /volumes endpoint",
                "user" : {
                        "key" : "My Secret"
                }
        },

        "_glusterfs_comment": "GlusterFS Configuration",
        "glusterfs" : {

                "_executor_comment": "Execute plugin. Possible choices: mock, kubernetes, ssh",
                "executor" : "kubernetes",

                "_db_comment": "Database file name",
                "db" : "/var/lib/heketi/heketi.db",

                "sshexec" : {
                        "keyfile" : "/etc/heketi/private_key",
                        "port" : "22",
                        "user" : "root",
                        "sudo" : false
                },

                "_auto_create_block_hosting_volume": "Creates Block Hosting volumes automatically if not found or exsisting volume exhausted",
                "auto_create_block_hosting_volume": true,

                "_block_hosting_volume_size": "New block hosting volume will be created in size mentioned, This is considered only if auto-create is enabled.",
                "block_hosting_volume_size": 100
        }
}


Note the default values in the "jwt" section of the JSON. Becasue heketi is configured with the "My Secret" values it will pass the check for authentication values and run with these defaults. These defaults are not very good and we should probably make changes to the templates to remove these default values, they're only good for examples and we don't want to run with easily guessable secrets any more than no auth.

Can you please file BZs against cns-ansible for this?

Note You need to log in before you can comment on or make changes to this bug.