Bug 1872322 - Ironic conductor log displays BMC credentials in plain text
Summary: Ironic conductor log displays BMC credentials in plain text
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Bare Metal Hardware Provisioning
Version: 4.6
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.6.0
Assignee: Dmitry Tantsur
QA Contact: Polina Rabinovich
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-25 13:52 UTC by rlopez
Modified: 2020-10-27 16:32 UTC (History)
5 users (show)

Fixed In Version: ironic-container-v4.6.0-202008290042
Doc Type: Bug Fix
Doc Text:
The ironic-conductor container logs no longer contain BMC passwords when using Redfish with session authentication.
Clone Of:
Environment:
Last Closed: 2020-10-27 16:32:45 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 747951 0 None MERGED Do not log passwords and auth tokens when using SessionService 2020-10-07 10:15:14 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:32:48 UTC

Description rlopez 2020-08-25 13:52:59 UTC
Description of problem:

Attempting an installation of IPI on BM using idrac-redfish for Dell servers produced in the logs a POST command with the BMC credentials in plain text. I scrubbed the data below but wanted to show what I see in the logs



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Install IPI on BM latest 4.6 nightly (4.6.0-0.nightly-2020-08-24-100004)


2020-08-25 13:07:14.556 1 DEBUG sushy.connector [req-16dbbd70-ad05-44ef-940f-e56279abf7f1 - - - - -] HTTP request: POST https://<server>/redfish/v1/SessionService/Sessions; headers: {'X-Auth-Token': None, 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': 'password'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:99[00m
/usr/lib/python3.6/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings



A patch has been created by Dmitry: https://review.opendev.org/#/c/747951/

Comment 1 Bob Fournier 2020-09-01 12:00:28 UTC
See update on tagged package in https://bugzilla.redhat.com/show_bug.cgi?id=1872341.  Fix has been merged and pkg has been tagged and is available in ironic-container-v4.6.0-202008290042.p0 (https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1300877).

Comment 4 Polina Rabinovich 2020-09-10 11:57:13 UTC
Version - 4.6.0-0.nightly-2020-09-10-054902

From bootstrap: 

2020-09-10 10:47:12.664 1 DEBUG sushy.connector [req-d7384c3a-5e60-49a2-9f0f-06f654ab48e6 - - - - -] HTTP request: POST https://10.46.2.222/redfish/v1/SessionService/Sessions/; headers: {'X-Auth-Token': '***', 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': '***'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:102
2020-09-10 10:47:12.776 1 DEBUG sushy.connector [req-9380b505-49cb-4d11-ba1b-afa5ce46da64 - - - - -] HTTP request: POST https://10.46.2.221/redfish/v1/SessionService/Sessions/; headers: {'X-Auth-Token': '***', 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': '***'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:102
2020-09-10 10:47:12.780 1 DEBUG sushy.connector [req-9e418acc-0470-4062-b66d-c33d37302966 - - - - -] HTTP request: POST https://10.46.2.220/redfish/v1/SessionService/Sessions/; headers: {'X-Auth-Token': '***', 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': '***'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:102

From master ironic:

2020-09-10 11:41:38.350 1 DEBUG sushy.connector [req-551557e5-fe4e-4677-9670-925effa48857 ironic-user - - - -] HTTP request: POST https://10.46.2.224/redfish/v1/SessionService/Sessions/; headers: {'X-Auth-Token': '***', 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': '***'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:102
2020-09-10 11:41:38.445 1 DEBUG sushy.connector [req-ef4e24ef-fe36-43f9-ab50-0fdaa4cb6f36 ironic-user - - - -] HTTP request: POST https://10.46.2.229/redfish/v1/SessionService/Sessions/; headers: {'X-Auth-Token': '***', 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': '***'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:102
2020-09-10 11:41:38.689 1 DEBUG sushy.connector [req-6a225e42-7574-4278-b655-59fdaba29a3d ironic-user - - - -] HTTP request: POST https://10.46.2.223/redfish/v1/SessionService/Sessions/; headers: {'X-Auth-Token': '***', 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': '***'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:102
2020-09-10 11:41:39.057 1 DEBUG sushy.connector [req-dce70684-32a9-42f7-a5ee-66238bf0f54f ironic-user - - - -] HTTP request: POST https://10.46.2.222/redfish/v1/SessionService/Sessions/; headers: {'X-Auth-Token': '***', 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': '***'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:102
2020-09-10 11:41:39.351 1 DEBUG sushy.connector [req-3b5cf3a9-5b92-4038-9522-585ffc502b19 ironic-user - - - -] HTTP request: POST https://10.46.2.230/redfish/v1/SessionService/Sessions/; headers: {'X-Auth-Token': '***', 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': '***'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:102
2020-09-10 11:41:39.405 1 DEBUG sushy.connector [req-70d88aca-da02-48b6-acb7-426ac0c1c494 ironic-user - - - -] HTTP request: POST https://10.46.2.221/redfish/v1/SessionService/Sessions/; headers: {'X-Auth-Token': '***', 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': '***'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:102
2020-09-10 11:41:40.128 1 DEBUG sushy.connector [req-b148ccfa-f129-47d3-a759-f09006341166 ironic-user - - - -] HTTP request: POST https://10.46.2.220/redfish/v1/SessionService/Sessions/; headers: {'X-Auth-Token': '***', 'OData-Version': '4.0'}; body: {'UserName': 'admin', 'Password': '***'}; blocking: False; timeout: 60; session arguments: {}; _op /usr/lib/python3.6/site-packages/sushy/connector.py:

Comment 6 errata-xmlrpc 2020-10-27 16:32:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.