2096327 – [RFE] To be able to return the bmc password as part of the interface api when enabling it via the settings.

Bug 2096327 - [RFE] To be able to return the bmc password as part of the interface api when enabling it via the settings.

Summary: [RFE] To be able to return the bmc password as part of the interface api when...

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	API
Sub Component:
Version:	6.10.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Satellite QE Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-06-13 14:33 UTC by Kobi Hakimi
Modified:	2023-07-21 21:06 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Kobi Hakimi 2022-06-13 14:33:53 UTC

Description of problem:
RFE: To be able to return the bmc password as part of the interface api when enabling it via the settings.

Version-Release number of selected component (if applicable):
Red Hat Satellite (build: 6.10.1.1)
Version 6.10 © 2022 Red Hat Inc.


How reproducible:
100%

Steps to Reproduce:
1. Run the api request /api/hosts/<host_id_name>/interfaces 

Actual results:
return json with all interfaces. 
but the bmc interface is without the password. 
something like:
{..."type":"bmc","execution":false,"username":"root","provider":"IPMI",...}


Expected results:
To be able to get the password in special cases when we add in the setting a special flag that allows it. 

Additional info:
In the previous versions the password field was exposed as clear text by default until the following CVE:
https://github.com/advisories/GHSA-7h9m-xcfj-p257

Thanks to orabin who helped me with this issue.

Comment 1 Adam Ruzicka 2023-06-13 11:30:11 UTC

> To be able to return the bmc password as part of the interface api

What is the use case for this?

> To be able to get the password in special cases when we add in the setting a special flag that allows it. 

So there would be a setting that would enable or disable this globally?

Comment 2 Kobi Hakimi 2023-06-14 15:32:53 UTC

Hi Adam,
please read my answers inline:

(In reply to Adam Ruzicka from comment #1)
> > To be able to return the bmc password as part of the interface api
> 
> What is the use case for this?
In the previous Foreman version, we used the API to get the BMC interface details including the password and run cli operations on the host(reboot, power down/up)
currently, we use another automation infrastructure to get the bmc password.
so if no one else asked for it you can ignore this request.

  
> 
> > To be able to get the password in special cases when we add in the setting a special flag that allows it. 
> 
> So there would be a setting that would enable or disable this globally?
It could be global but to reduce the risk maybe it would be better to do it per host.

Thanks in advance,
    Kobi

Comment 3 Brad Buckingham 2023-07-21 21:06:39 UTC

Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team.  Thank you.

Note You need to log in before you can comment on or make changes to this bug.