From f923da0c9990190bfcc7c3f84a2ccce40b0a44c0 Mon Sep 17 00:00:00 2001 From: Ben Nemec Date: Wed, 9 Mar 2016 23:39:50 +0000 Subject: [PATCH] Secure haproxy stats endpoint Currently when we deploy our haproxy configuration, it includes the stats endpoint as unauthenticated. This means anyone with access to the undercloud can query the haproxy stats, which is a security concern. Change-Id: I94086c17c3fa5efe80650c2770bfb5c7f2f941ab Depends-On: I8a5844e89bd81a99d5101ab6bce7a8d79e069565 --- .../install.d/02-puppet-stack-config | 1 + .../puppet-stack-config.yaml.template | 3 +++ .../root/tripleo-undercloud-passwords | 1 + instack_undercloud/undercloud.py | 4 +++ undercloud.conf.sample | 25 +++++++++++-------- 5 files changed, 24 insertions(+), 10 deletions(-) diff --git a/elements/puppet-stack-config/install.d/02-puppet-stack-config b/elements/puppet-stack-config/install.d/02-puppet-stack-config index 4ba6f7c8c..daf9b2ac8 100755 --- a/elements/puppet-stack-config/install.d/02-puppet-stack-config +++ b/elements/puppet-stack-config/install.d/02-puppet-stack-config @@ -41,6 +41,7 @@ context = { 'UNDERCLOUD_MISTRAL_PASSWORD': os.environ.get('UNDERCLOUD_MISTRAL_PASSWORD', 'unset'), 'UNDERCLOUD_ZAQAR_PASSWORD': os.environ.get('UNDERCLOUD_ZAQAR_PASSWORD', 'unset'), 'UNDERCLOUD_GLANCE_PASSWORD': os.environ.get('UNDERCLOUD_GLANCE_PASSWORD', 'unset'), + 'UNDERCLOUD_HAPROXY_STATS_PASSWORD': os.environ.get('UNDERCLOUD_HAPROXY_STATS_PASSWORD', 'unset'), 'UNDERCLOUD_HEAT_ENCRYPTION_KEY': os.environ.get('UNDERCLOUD_HEAT_ENCRYPTION_KEY', 'unset___________'), 'UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD': os.environ.get('UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD', 'unset'), 'UNDERCLOUD_HEAT_PASSWORD': os.environ.get('UNDERCLOUD_HEAT_PASSWORD', 'unset'), diff --git a/elements/puppet-stack-config/puppet-stack-config.yaml.template b/elements/puppet-stack-config/puppet-stack-config.yaml.template index 5ce9c1cb1..88bfeab6f 100644 --- a/elements/puppet-stack-config/puppet-stack-config.yaml.template +++ b/elements/puppet-stack-config/puppet-stack-config.yaml.template @@ -436,6 +436,9 @@ zaqar::transport::wsgi::bind: {{LOCAL_IP}} zaqar::management::mongodb::uri: mongodb://127.0.0.1:27017 zaqar::messaging::mongodb::uri: mongodb://127.0.0.1:27017 +# Loadbalancer +tripleo::loadbalancer::haproxy_stats_password: {{UNDERCLOUD_HAPROXY_STATS_PASSWORD}} + # service tenant ceilometer::api::keystone_tenant: 'service' aodh::api::keystone_tenant: 'service' diff --git a/elements/undercloud-stack-config/os-apply-config/root/tripleo-undercloud-passwords b/elements/undercloud-stack-config/os-apply-config/root/tripleo-undercloud-passwords index c371cc848..c529e63c1 100644 --- a/elements/undercloud-stack-config/os-apply-config/root/tripleo-undercloud-passwords +++ b/elements/undercloud-stack-config/os-apply-config/root/tripleo-undercloud-passwords @@ -6,6 +6,7 @@ UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD=$(sudo hiera snmpd_readonly_user_password) UNDERCLOUD_CEILOMETER_SNMPD_USER=$(sudo hiera snmpd_readonly_user_name) UNDERCLOUD_DB_PASSWORD=$(sudo hiera admin_password) UNDERCLOUD_GLANCE_PASSWORD=$(sudo hiera glance::api::keystone_password) +UNDERCLOUD_HAPROXY_STATS_PASSWORD=$(sudo hiera tripleo::loadbalancer::haproxy_stats_password) UNDERCLOUD_HEAT_ENCRYPTION_KEY=$(sudo hiera heat::engine::auth_encryption_key) UNDERCLOUD_HEAT_PASSWORD=$(sudo hiera heat::keystone_password) UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD=$(sudo hiera heat_stack_domain_admin_password) diff --git a/instack_undercloud/undercloud.py b/instack_undercloud/undercloud.py index 9c871c778..62ff96833 100644 --- a/instack_undercloud/undercloud.py +++ b/instack_undercloud/undercloud.py @@ -313,6 +313,10 @@ _auth_opts = [ help=('Sensu service password. ' 'If left unset, one will be automatically generated.') ), + cfg.StrOpt('undercloud_haproxy_stats_password', + help=('HAProxy stats password. ' + 'If left unset, one will be automatically generated.') + ), ] CONF.register_opts(_opts) CONF.register_opts(_auth_opts, group='auth') diff --git a/undercloud.conf.sample b/undercloud.conf.sample index 6baaaf301..3763a9c35 100644 --- a/undercloud.conf.sample +++ b/undercloud.conf.sample @@ -92,10 +92,11 @@ # Whether to install Tempest in the Undercloud. (boolean value) #enable_tempest = true -# Whether to install Mistral in the Undercloud. (boolean value) +# Whether to install Mistral services in the Undercloud. (boolean +# value) #enable_mistral = false -# Whether to install Zaqar in the Undercloud. (boolean value) +# Whether to install Zaqar services in the Undercloud. (boolean value) #enable_zaqar = false # Whether to use iPXE for deploy by default. (boolean value) @@ -159,18 +160,14 @@ # generated. (string value) #undercloud_ironic_password = +# Aodh service password. If left unset, one will be automatically +# generated. (string value) +#undercloud_aodh_password = + # Ceilometer service password. If left unset, one will be # automatically generated. (string value) #undercloud_ceilometer_password = -# Aodh service password. If left unset, one will be -# automatically generated. (string value) -#undercloud_aodh_password = - -# Sensu service password. If left unset, one will be automatically -# generated. (string value) -#undercloud_sensu_password = - # Ceilometer metering secret. If left unset, one will be automatically # generated. (string value) #undercloud_ceilometer_metering_secret = @@ -212,3 +209,11 @@ # Swift hash suffix. If left unset, one will be automatically # generated. (string value) #undercloud_swift_hash_suffix = + +# Sensu service password. If left unset, one will be automatically +# generated. (string value) +#undercloud_sensu_password = + +# HAProxy stats password. If left unset, one will be automatically +# generated. (string value) +#undercloud_haproxy_stats_password =