"Fossies" - the Fresh Open Source Software Archive

Member "ironic-11.1.3/releasenotes/notes/mask-configdrive-contents-77fc557d6bc63b2b.yaml" (6 Jun 2019, 1032 Bytes) of package /linux/misc/openstack/ironic-11.1.3.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Ansible YAML source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 ---
    2 features:
    3   - Adds a new policy rule that may be used to mask
    4     instance-specific secrets, such as configdrive contents or the temp URL
    5     used to store a configdrive or instance image.  This is similar to how
    6     passwords are already masked.
    7 upgrade:
    8   - Instance secrets will now, by default, be masked in API
    9     responses.  Operators wishing to expose the configdrive or instance image
   10     to specific users will need to update their policy.json file and grant the
   11     relevant keystone roles.
   12 security:
   13   - Configdrives often contain sensitive information. Users may upload their
   14     own images, which could also contain sensitive information.  The Agent
   15     drivers may store this information in a Swift temp URL to allow access from
   16     the Agent ramdisk. These URLs are considered sensitive information because
   17     they grant unauthenticated access to sensitive information.  Now,
   18     we only selectively expose this information to privileged
   19     users, whereas previously it was exposed to all authenticated users.