diff options
author | Zuul <zuul@review.openstack.org> | 2018-02-07 15:55:00 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2018-02-07 15:55:00 +0000 |
commit | 273e2c2c7424c52adcd310bf032feca873746866 (patch) | |
tree | 6a607db0aa8ae47607549a7f7b2a6be2c649072d | |
parent | abb14290fbde6bf8f19ca38807ace9d1828ca182 (diff) | |
parent | c2185469c4a9246fa62ceae76676a08ed84e686d (diff) | |
download | ironic-273e2c2c7424c52adcd310bf032feca873746866.tar.gz |
Merge "Do not pass credentials to the ramdisk on cleaning"
-rw-r--r-- | ironic/drivers/modules/agent_client.py | 4 | ||||
-rw-r--r-- | ironic/objects/node.py | 9 | ||||
-rw-r--r-- | ironic/tests/unit/drivers/modules/test_agent_client.py | 7 | ||||
-rw-r--r-- | ironic/tests/unit/objects/test_node.py | 14 | ||||
-rw-r--r-- | releasenotes/notes/node-credentials-cleaning-b1903f49ffeba029.yaml | 5 |
5 files changed, 34 insertions, 5 deletions
diff --git a/ironic/drivers/modules/agent_client.py b/ironic/drivers/modules/agent_client.py index 3ffa7d081..e9624b00a 100644 --- a/ironic/drivers/modules/agent_client.py +++ b/ironic/drivers/modules/agent_client.py @@ -170,7 +170,7 @@ class AgentClient(object): @METRICS.timer('AgentClient.get_clean_steps') def get_clean_steps(self, node, ports): params = { - 'node': node.as_dict(), + 'node': node.as_dict(secure=True), 'ports': [port.as_dict() for port in ports] } return self._command(node=node, @@ -182,7 +182,7 @@ class AgentClient(object): def execute_clean_step(self, step, node, ports): params = { 'step': step, - 'node': node.as_dict(), + 'node': node.as_dict(secure=True), 'ports': [port.as_dict() for port in ports], 'clean_version': node.driver_internal_info.get( 'hardware_manager_version') diff --git a/ironic/objects/node.py b/ironic/objects/node.py index bcac54d63..fd0a452be 100644 --- a/ironic/objects/node.py +++ b/ironic/objects/node.py @@ -134,6 +134,15 @@ class Node(base.IronicObject, object_base.VersionedObjectDictCompat): 'traits': object_fields.ObjectField('TraitList', nullable=True), } + def as_dict(self, secure=False): + d = super(Node, self).as_dict() + if secure: + d['driver_info'] = strutils.mask_dict_password( + d.get('driver_info', {}), "******") + d['instance_info'] = strutils.mask_dict_password( + d.get('instance_info', {}), "******") + return d + def _validate_property_values(self, properties): """Check if the input of local_gb, cpus and memory_mb are valid. diff --git a/ironic/tests/unit/drivers/modules/test_agent_client.py b/ironic/tests/unit/drivers/modules/test_agent_client.py index 4683de129..f8396b3ce 100644 --- a/ironic/tests/unit/drivers/modules/test_agent_client.py +++ b/ironic/tests/unit/drivers/modules/test_agent_client.py @@ -43,7 +43,8 @@ class MockNode(object): } self.instance_info = {} - def as_dict(self): + def as_dict(self, secure=False): + assert secure, 'agent_client must pass secure=True' return { 'uuid': self.uuid, 'driver_internal_info': self.driver_internal_info, @@ -245,7 +246,7 @@ class TestAgentClient(base.TestCase): self.client._command = mock.MagicMock(spec_set=[]) ports = [] expected_params = { - 'node': self.node.as_dict(), + 'node': self.node.as_dict(secure=True), 'ports': [] } @@ -261,7 +262,7 @@ class TestAgentClient(base.TestCase): step = {'priority': 10, 'step': 'erase_devices', 'interface': 'deploy'} expected_params = { 'step': step, - 'node': self.node.as_dict(), + 'node': self.node.as_dict(secure=True), 'ports': [], 'clean_version': self.node.driver_internal_info['hardware_manager_version'] diff --git a/ironic/tests/unit/objects/test_node.py b/ironic/tests/unit/objects/test_node.py index ac2a27054..1b9a07512 100644 --- a/ironic/tests/unit/objects/test_node.py +++ b/ironic/tests/unit/objects/test_node.py @@ -35,6 +35,20 @@ class TestNodeObject(db_base.DbTestCase, obj_utils.SchemasTestMixIn): self.fake_node = db_utils.get_test_node() self.node = obj_utils.get_test_node(self.ctxt, **self.fake_node) + def test_as_dict_insecure(self): + self.node.driver_info['ipmi_password'] = 'fake' + self.node.instance_info['configdrive'] = 'data' + d = self.node.as_dict() + self.assertEqual('fake', d['driver_info']['ipmi_password']) + self.assertEqual('data', d['instance_info']['configdrive']) + + def test_as_dict_secure(self): + self.node.driver_info['ipmi_password'] = 'fake' + self.node.instance_info['configdrive'] = 'data' + d = self.node.as_dict(secure=True) + self.assertEqual('******', d['driver_info']['ipmi_password']) + self.assertEqual('******', d['instance_info']['configdrive']) + def test_get_by_id(self): node_id = self.fake_node['id'] with mock.patch.object(self.dbapi, 'get_node_by_id', diff --git a/releasenotes/notes/node-credentials-cleaning-b1903f49ffeba029.yaml b/releasenotes/notes/node-credentials-cleaning-b1903f49ffeba029.yaml new file mode 100644 index 000000000..ca4829afa --- /dev/null +++ b/releasenotes/notes/node-credentials-cleaning-b1903f49ffeba029.yaml @@ -0,0 +1,5 @@ +--- +security: + - | + Sensitive information is now removed from a node's ``driver_info`` and + ``instance_info`` fields before sending it to the ramdisk during cleaning. |