Use password lookup for run-buildset-registry role

Complete a lingering TODO in run-buildset-registry to use a less guessable password for the intermediate registry service. Timestamps (even with microsecond precision and even running through a hash algorithm) are inherently guessable. Someone watching a console stream of the job could probably narrow down the time that task ran to at least second precision, which then requires at most a million guesses to be able to pollute or otherwise compromise the content jobs are relying on. With reasonable network access and a typical personal computer this is a rather small work factor to overcome. Luckily, the Ansible community maintains an in-tree lookup plugin[*] for strong password generation. Its default is 20 mixed-case letters, numbers and punctuation, so the same length as the truncated hash we're replacing. [*] https://docs.ansible.com/ansible/latest/plugins/lookup/password.html Depends-On: https://review.opendev.org/662870 Change-Id: I66e60f767328cc3af540ec4b755121da989b5e56
2019-06-04 18:33:29 +00:00 · 2019-06-04 18:33:29 +00:00 · 3f01dc11f7
commit 3f01dc11f7
parent 2f2d6ce3f7
1 changed files with 1 additions and 2 deletions
--- a/roles/run-buildset-registry/tasks/main.yaml
+++ b/roles/run-buildset-registry/tasks/main.yaml
@ -25,10 +25,9 @@
  loop:
    - certs
    - auth
-# TODO: use password lookup after allowing access to it in Zuul
 - name: Generate registry password
  set_fact:
-    registry_password: "{{ (ansible_date_time.iso8601_micro | password_hash('sha256'))[-20:] }}"
+    registry_password: "{{ lookup('password', '/dev/null') }}"
 - name: Write htpassword file
  htpasswd:
    create: true