diff options
| author | Julia Kreger <juliaashleykreger@gmail.com> | 2019-10-25 11:31:53 -0700 |
|---|---|---|
| committer | Julia Kreger <juliaashleykreger@gmail.com> | 2020-03-24 20:11:43 +0000 |
| commit | fcaefdbe74c63d6ad42fd23cdb5cb98373d83443 (patch) | |
| tree | 683a880122fae2fc1b0b1d9fa006d434bfd993cf /ironic/conductor | |
| parent | 3eb0c164011a744126330de44413ab704b55ea83 (diff) | |
| download | ironic-fcaefdbe74c63d6ad42fd23cdb5cb98373d83443.tar.gz | |
Hash the rescue_password
In order to provide increased security, it is necessary
to hash the rescue password in advance of it being stored
into the database and to provide some sort of control for
hash strength.
This change IS incompatible with prior IPA versions with
regard to use of the rescue feature, but I fully expect
we will backport the change to IPA on to stable branches
and perform a release as it is a security improvement.
Change-Id: I1e118467a536229de6f7c245c1c48f0af38dcef2
Story: 2006777
Task: 27301
Diffstat (limited to 'ironic/conductor')
| -rw-r--r-- | ironic/conductor/manager.py | 8 | ||||
| -rw-r--r-- | ironic/conductor/utils.py | 35 |
2 files changed, 37 insertions, 6 deletions
diff --git a/ironic/conductor/manager.py b/ironic/conductor/manager.py index aca403313..bfc86e825 100644 --- a/ironic/conductor/manager.py +++ b/ironic/conductor/manager.py @@ -610,9 +610,11 @@ class ConductorManager(base_manager.BaseConductorManager): # driver validation may check rescue_password, so save it on the # node early - instance_info = node.instance_info - instance_info['rescue_password'] = rescue_password - node.instance_info = instance_info + i_info = node.instance_info + i_info['rescue_password'] = rescue_password + i_info['hashed_rescue_password'] = utils.hash_password( + rescue_password) + node.instance_info = i_info node.save() try: diff --git a/ironic/conductor/utils.py b/ironic/conductor/utils.py index 2d97d655c..170218c61 100644 --- a/ironic/conductor/utils.py +++ b/ironic/conductor/utils.py @@ -13,6 +13,7 @@ # under the License. import contextlib +import crypt import datetime from distutils.version import StrictVersion import random @@ -42,6 +43,12 @@ LOG = log.getLogger(__name__) CONF = cfg.CONF +PASSWORD_HASH_FORMAT = { + 'sha256': crypt.METHOD_SHA256, + 'sha512': crypt.METHOD_SHA512, +} + + @task_manager.require_exclusive_lock def node_set_boot_device(task, device, persistent=False): """Set the boot device for a node. @@ -707,9 +714,13 @@ def remove_node_rescue_password(node, save=True): instance_info = node.instance_info if 'rescue_password' in instance_info: del instance_info['rescue_password'] - node.instance_info = instance_info - if save: - node.save() + + if 'hashed_rescue_password' in instance_info: + del instance_info['hashed_rescue_password'] + + node.instance_info = instance_info + if save: + node.save() def validate_instance_info_traits(node): @@ -1108,3 +1119,21 @@ def is_agent_token_pregenerated(node): """ return node.driver_internal_info.get( 'agent_secret_token_pregenerated', False) + + +def make_salt(): + """Generate a random salt with the indicator tag for password type. + + :returns: a valid salt for use with crypt.crypt + """ + return crypt.mksalt( + method=PASSWORD_HASH_FORMAT[ + CONF.conductor.rescue_password_hash_algorithm]) + + +def hash_password(password=''): + """Hashes a supplied password. + + :param value: Value to be hashed + """ + return crypt.crypt(password, make_salt()) |