openstack/ironic
Code Issues Proposed changes
Files
ad227de245536a3c86b17132136c51670e87e3c5
ironic/releasenotes/notes/irmc-add-snmpv3-security-fca05bfc30f50d1a.yaml
Shukun Song c274231bf5 Add SNMPv3 authentication functionality 
Currently when using SNMPv3, iRMC driver does not use SNMPv3
authentication parameters so the SNMPv3 authentication will
always fail. And iRMC cannot recognize FIPS mode, so when FIPS mode
is enabled, iRMC driver could still use non-FIPS-compliant algorithms.

This commit changes iRMC driver to require and use SNMPv3
authentication parameters when 'irmc_snmp_version' is set to v3 and
also makes iRMC driver to force 'irmc_snmp_version' to v3,
'irmc_snmp_auth_proto' to SHA and 'irmc_snmp_priv_proto' to AES
when FIPS mode is enabled, because currently among the algorithms
supported by iRMC, only SHA and AES are FIPS compliant.

Conflicts:
       doc/source/admin/drivers/irmc.rst
       ironic/drivers/modules/irmc/common.py
       ironic/tests/unit/drivers/modules/irmc/test_boot.py
       ironic/tests/unit/drivers/modules/irmc/test_common.py

Change-Id: Id6f8996e4d103f849325f54fe0619b4acb43453a
Story: 2010085
Task: 45590
(cherry picked from commit 79f82c0262)
2022-10-11 11:55:52 +09:00

29 lines
1.0 KiB
YAML
Raw Blame History

---
fixes:
- |
Fixes SNMPv3 message authentication and encryption functionality of iRMC
driver. The SNMPv3 authentication between iRMC driver and iRMC was only
by the security name with no passwords and encryption.
To increase security, the following parameters are now added to the node's
``driver_info``, and can be used for authentication:
* ``irmc_snmp_user``
* ``irmc_snmp_auth_password``
* ``irmc_snmp_priv_password``
* ``irmc_snmp_auth_proto`` (Optional, defaults to ``sha``)
* ``irmc_snmp_priv_proto`` (Optional, defaults to ``aes``)
``irmc_snmp_user`` replaces ``irmc_snmp_security``. ``irmc_snmp_security``
will be ignored if ``irmc_snmp_user`` is set.
``irmc_snmp_auth_proto`` and ``irmc_snmp_priv_proto`` can also be set
through the following options in the ``[irmc]`` section of
``/etc/ironic/ironic.conf``:
* ``snmp_auth_proto``
* ``snmp_priv_proto``
other:
- |
Updates the minimum version of ``python-scciclient`` library to
``0.12.2``.
View Git Blame Copy Permalink