6e16c051ba
When generating a random string, once we had selected from the various required pools, we continued by selecting a pool at random and then selecting a character from that pool at random. This did not take into account the differing sizes of the available pools, nor the fact that the same character could appear in multiple pools, which resulted in a non-uniform probability distribution of characters. Since users mostly make use of this feature to generate default passwords for services they are deploying, this would result in the generated passwords having slightly less entropy than expected (and pathological cases were possible). Rectify this by always selecting non-constrained characters from a single combined pool, and by ensuring that each character appears only once in any pool we're selecting from. Since we also want to use this method to generate passwords for OpenStack Users, the new implementation is in a separate module in heat.common rather than mixed in with the resource's logic. Also, use a StringIO object to collect the characters rather than repeatedly appending to a string. Change-Id: Ia7b63e72c1e3c0649290caf4fea8a32f7f89560b Closes-Bug: #1757300 Related-Bug: #1666129 Related-Bug: #1444429
10 lines
429 B
YAML
10 lines
429 B
YAML
---
|
|
security:
|
|
- |
|
|
Passwords generated by the OS::Heat::RandomString resource may have had
|
|
less entropy than expected, depending on what is specified in the
|
|
``character_class`` and ``character_sequence`` properties. This has been
|
|
corrected so that each character present in any of the specified classes
|
|
or sequences now has an equal probability of appearing at each point in
|
|
the generated random string.
|