Project

General

Profile

Bug #33839

bmc_credentials_accessible hides BMC information in the API

Added by Nacho Barrientos 8 months ago. Updated 8 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

The configuration option bmc_credentials_accessible is described in the manual as follows:

By default passwords stored on BMC network interfaces will be visible to other users who can view the host via the ENC YAML preview and accessible through templates, for the purposes of configuring BMC interfaces automatically.

When set to false, all BMC passwords will be redacted in template and ENC output, preventing both users from viewing the passwords directly and also from configuration (or access) in Puppet and other config management tools using the ENC interface. Foreman will continue to use the stored password for BMC power operations.

Note that setting this to false also this requires that safemode_render be enabled, else it could be bypassed.

However, when set to false, the password is also wiped out from the output of API calls like GET api/hosts/host.example.ch/interfaces.

For us this is not expected behaviour, because whereas we'd like the passwords to be scrubbed from ENC output which can be consumed unauthenticated, we'd like to continue to be able to do retrieve the credentials using the (authenticated) API.

Perhaps how bmc_credentials_accessible is implemented is not the best and maybe it makes sense to start thinking about keeping the autogenerated Nic::BMC:password() and moving the logic that hides the password to the controllers where this functionality is actually needed as described in the documentation (ENC, etc).

The actual reason I'm bothering you with this is that I'm currently revisiting bmc_credentials_accessible because we've always had a local patch (see below) for app/controllers/hosts_controller.rb:externalNodes() to remove creds from the ENC there and I was trying to get rid of it in favour of the built-in setting. I believe that this code is all gone in 3.x (moved to a plugin?).

--- a/app/controllers/hosts_controller.rb
+++ b/app/controllers/hosts_controller.rb
@@ -196,7 +196,20 @@ class HostsController < ApplicationController
         # don't break lines in yaml to support Ruby < 1.9.3
         # Remove the HashesWithIndifferentAccess using 'deep_stringify_keys',
         # then we turn it into YAML
-        host_info_yaml = @host.info.deep_stringify_keys.to_yaml(:line_width => -1)
+        host_info_yaml = @host.info.deep_stringify_keys.tap{|k|
+          k['parameters'].tap{|l|
+            l['foreman_interfaces'].each{|f|
+              f.tap{|m|
+                m.delete('password')
+              }
+            }
+          }
+        }.to_yaml(:line_width => -1)

https://github.com/theforeman/foreman/blob/ccd67513052494e1d5ae79f4450cd04b8020633e/app/controllers/hosts_controller.rb#L196

History

#1 Updated by Nacho Barrientos 8 months ago

Actually I've just seen that in 2.5.x onwards the API does not even expose the password anymore.

https://projects.theforeman.org/issues/31937
https://github.com/theforeman/foreman/pull/8349

I'm surely missing context but I don't understand why it's a "leak" to expose the password of the BMC interface of a host that the calling user has the right to see. We have external tools that query the Foreman API to extract the credentials and do stuff with them. Something else we'd have to locally patch when upgrading (/me sad).

#2 Updated by Nacho Barrientos 8 months ago

  • Found in Releases 2.4.1 added

Also available in: Atom PDF