openstack/ironic
Code Issues Proposed changes
ironic/releasenotes/notes/mask-configdrive-contents-77fc557d6bc63b2b.yaml
Devananda van der Veen dc0dad9773 Mask instance secrets in API responses 
This change adds a new policy setting, "show_instance_secrets", whose
behavior mirrors that of the existing "show_passwords" policy setting.

Whereas "show_passwords" has historically blocked all sensitive
information from the node's driver_info field, the new setting blocks
all sensitive information from the node's instance_info field, including
image_url.

The name of the old setting, "show_passwords", is not being changed at
this time because such a change is not backwards-compatible. Instead,
the documentation string for this setting has been changed to clarify
what it does. Note that the behavior has not actually changed.

Note that this change moves the policy.check("show_password") call from
the Pecan hook into the API's Nodes() class, where the
policy.check("show_instance_secrets") is also added. This makes the code
a little cleaner and more maintainable, especially if we want to add any
more checks like this in the future.

As a result of this cleanup, the ironic-specific
RequestContext.show_password property is removed.

Partial-bug: #1530972
Partial-bug: #1526752
Related-bug: #1613903

Change-Id: I48493c53971cdab3b9122897e51322e19ce2f600
2016-08-26 08:31:17 -07:00

20 lines
1.1 KiB
YAML
Raw Blame History

---
features:
- This change adds a new policy rule that may be used to mask
instance-specific secrets, such as configdrive contents or the temp URL
used to store a configdrive or instance image. This is similar to how
passwords are already masked.
upgrade:
- After this change, instance secrets will, by default, be masked in API
responses. Operators wishing to expose the configdrive or instance image
to specific users will need to update their policy.json file and grant the
relevant keystone roles.
security:
- Configdrives often contain sensitive information. Users may upload their
own images, which could also contain sensitive information. The Agent
drivers may store this information in a Swift temp URL to allow access from
the Agent ramdisk. These URLs are considered sensitive information because
they grant unauthenticated access to sensitive information. With this
change, we being to only selectively expose this information to privileged
users, whereas previously it was exposed to all authenticated users.
View Git Blame Copy Permalink