Do not mask configdrive when executing in-band deploy steps

The agent needs to use configdrive, and we do send it over the same
channel when running write_image. There is no point in preventing custom
deploy steps from accessing it.

Change-Id: I93d3966b2c6af1f60bfbb39b3a07056308c6866c
This commit is contained in:
Dmitry Tantsur 2021-04-29 13:54:55 +02:00
parent 193d2e65f1
commit d97f0fb5ec
4 changed files with 25 additions and 4 deletions

View File

@ -593,7 +593,7 @@ class AgentClient(object):
""" """
params = { params = {
'step': step, 'step': step,
'node': node.as_dict(secure=True), 'node': node.as_dict(secure=True, mask_configdrive=False),
'ports': [port.as_dict() for port in ports], 'ports': [port.as_dict() for port in ports],
'deploy_version': node.driver_internal_info.get( 'deploy_version': node.driver_internal_info.get(
'hardware_manager_version') 'hardware_manager_version')

View File

@ -168,13 +168,17 @@ class Node(base.IronicObject, object_base.VersionedObjectDictCompat):
'network_data': object_fields.FlexibleDictField(nullable=True), 'network_data': object_fields.FlexibleDictField(nullable=True),
} }
def as_dict(self, secure=False): def as_dict(self, secure=False, mask_configdrive=True):
d = super(Node, self).as_dict() d = super(Node, self).as_dict()
if secure: if secure:
d['driver_info'] = strutils.mask_dict_password( d['driver_info'] = strutils.mask_dict_password(
d.get('driver_info', {}), "******") d.get('driver_info', {}), "******")
d['instance_info'] = strutils.mask_dict_password( iinfo = d.pop('instance_info', {})
d.get('instance_info', {}), "******") if not mask_configdrive:
configdrive = iinfo.pop('configdrive', None)
d['instance_info'] = strutils.mask_dict_password(iinfo, "******")
if not mask_configdrive and configdrive:
d['instance_info']['configdrive'] = configdrive
d['driver_internal_info'] = strutils.mask_dict_password( d['driver_internal_info'] = strutils.mask_dict_password(
d.get('driver_internal_info', {}), "******") d.get('driver_internal_info', {}), "******")
return d return d

View File

@ -61,6 +61,18 @@ class TestNodeObject(db_base.DbTestCase, obj_utils.SchemasTestMixIn):
# Ensure the node can be serialised. # Ensure the node can be serialised.
jsonutils.dumps(d) jsonutils.dumps(d)
def test_as_dict_secure_with_configdrive(self):
self.node.driver_info['ipmi_password'] = 'fake'
self.node.instance_info['configdrive'] = 'data'
self.node.driver_internal_info['agent_secret_token'] = 'abc'
d = self.node.as_dict(secure=True, mask_configdrive=False)
self.assertEqual('******', d['driver_info']['ipmi_password'])
self.assertEqual('data', d['instance_info']['configdrive'])
self.assertEqual('******',
d['driver_internal_info']['agent_secret_token'])
# Ensure the node can be serialised.
jsonutils.dumps(d)
def test_as_dict_with_traits(self): def test_as_dict_with_traits(self):
self.fake_node['traits'] = ['CUSTOM_1'] self.fake_node['traits'] = ['CUSTOM_1']
self.node = obj_utils.get_test_node(self.ctxt, **self.fake_node) self.node = obj_utils.get_test_node(self.ctxt, **self.fake_node)

View File

@ -0,0 +1,5 @@
---
fixes:
- |
No longer masks configdrive when sending the node's record to in-band
deploy steps.