Feature #16580

Restrict and document access to BMC credentials

Added by Dominic Cleal 7 months ago. Updated 7 months ago.

Status:Closed
Priority:Normal
Assigned To:Dominic Cleal
Category:BMC
Target version:-
Difficulty: Bugzilla link:
Found in release: Pull request:https://github.com/theforeman/foreman/pull/3855
Story points-
Velocity based estimate-
Release1.14.0Release relationshipAuto

Description

BMC interface credentials stored in Foreman are accessible through the ENC YAML output and through templates (#15046), however it isn't clear that they are so readily available when entering them and there is no option to restrict it.

It should be possible to disable access through the ENC YAML and templates to credentials if the administrator wishes, via a setting. This would use the credentials only for BMC smart proxies.

The BMC interface form should probably also state where the credentials are accessible from.

Reported by Alex Fisher to , thanks. No CVE will be requested as it's by design, this is hardening.

Associated revisions

Revision 72b2f9f2
Added by Dominic Cleal 7 months ago

fixes #16580 - redact BMC password in ENC/templates with setting

Passwords stored against BMC NICs are accessible by default via
nic.password in a template, even in safe mode (861a03b), and are also
exported in the ENC output. A new bmc_credentials_accessible setting
allows the admin to redact the values in both locations, only allowing
the password to be used internally for BMC smart proxies.

Disabling BMC credential access requires safemode_render for complete
protection.

History

#1 Updated by The Foreman Bot 7 months ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3855 added

#2 Updated by Dominic Cleal 7 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#3 Updated by Dominic Cleal 7 months ago

  • Release set to 1.14.0

Also available in: Atom PDF