Use password lookup for run-buildset-registry role
Complete a lingering TODO in run-buildset-registry to use a less guessable password for the intermediate registry service. Timestamps (even with microsecond precision and even running through a hash algorithm) are inherently guessable. Someone watching a console stream of the job could probably narrow down the time that task ran to at least second precision, which then requires at most a million guesses to be able to pollute or otherwise compromise the content jobs are relying on. With reasonable network access and a typical personal computer this is a rather small work factor to overcome. Luckily, the Ansible community maintains an in-tree lookup plugin[*] for strong password generation. Its default is 20 mixed-case letters, numbers and punctuation, so the same length as the truncated hash we're replacing. [*] https://docs.ansible.com/ansible/latest/plugins/lookup/password.html Depends-On: https://review.opendev.org/662870 Change-Id: I66e60f767328cc3af540ec4b755121da989b5e56
This commit is contained in:
Jeremy Stanley
parent
2f2d6ce3f7
commit
3f01dc11f7
|
|
@ -25,10 +25,9 @@
|
|||
loop:
|
||||
- certs
|
||||
- auth
|
||||
# TODO: use password lookup after allowing access to it in Zuul
|
||||
- name: Generate registry password
|
||||
set_fact:
|
||||
registry_password: "{{ (ansible_date_time.iso8601_micro | password_hash('sha256'))[-20:] }}"
|
||||
registry_password: "{{ lookup('password', '/dev/null') }}"
|
||||
- name: Write htpassword file
|
||||
htpasswd:
|
||||
create: true
|
||||
|
|
|
|||
Loading…
Reference in New Issue