Set NeutronMetadataProxySharedSecret
This patch uses the standard password generation functionality to randomly set the NeutronMetadataProxySharedSecret parameter. Without this parameter, Neutron has a blank value for it's shared secret. This value is used to to prevent spoofing, thus the default value of "unset" is bad. This exposes a potential attack vector. Closes-Bug: #1516027 Change-Id: Ifb34b43fdedc55ad220df358c3ccc31e3c2e7c14
This commit is contained in:
Dougal Matthews
parent
2d7017ab71
commit
0719688416
|
|
@ -35,6 +35,7 @@ class TestPasswordsUtil(TestCase):
|
|||
passwords = utils.generate_overcloud_passwords()
|
||||
|
||||
self.assertEqual(sorted(mock_open().write.mock_calls), [
|
||||
mock.call('NEUTRON_METADATA_PROXY_SHARED_SECRET=PASSWORD\n'),
|
||||
mock.call('OVERCLOUD_ADMIN_PASSWORD=PASSWORD\n'),
|
||||
mock.call('OVERCLOUD_ADMIN_TOKEN=PASSWORD\n'),
|
||||
mock.call('OVERCLOUD_CEILOMETER_PASSWORD=PASSWORD\n'),
|
||||
|
|
@ -49,9 +50,9 @@ class TestPasswordsUtil(TestCase):
|
|||
mock.call('OVERCLOUD_SWIFT_HASH=PASSWORD\n'),
|
||||
mock.call('OVERCLOUD_SWIFT_PASSWORD=PASSWORD\n'),
|
||||
])
|
||||
self.assertEqual(generate_password_mock.call_count, 13)
|
||||
self.assertEqual(generate_password_mock.call_count, 14)
|
||||
|
||||
self.assertEqual(len(passwords), 13)
|
||||
self.assertEqual(len(passwords), 14)
|
||||
|
||||
@mock.patch("os.path.isfile", return_value=True)
|
||||
@mock.patch("passlib.utils.generate_password",
|
||||
|
|
@ -71,6 +72,7 @@ class TestPasswordsUtil(TestCase):
|
|||
'OVERCLOUD_NOVA_PASSWORD=PASSWORD\n',
|
||||
'OVERCLOUD_SWIFT_HASH=PASSWORD\n',
|
||||
'OVERCLOUD_SWIFT_PASSWORD=PASSWORD\n',
|
||||
'NEUTRON_METADATA_PROXY_SHARED_SECRET=PASSWORD\n',
|
||||
]
|
||||
|
||||
mock_open = mock.mock_open(read_data=''.join(PASSWORDS))
|
||||
|
|
@ -81,7 +83,7 @@ class TestPasswordsUtil(TestCase):
|
|||
passwords = utils.generate_overcloud_passwords()
|
||||
|
||||
generate_password_mock.assert_not_called()
|
||||
self.assertEqual(len(passwords), 13)
|
||||
self.assertEqual(len(passwords), 14)
|
||||
for name in utils._PASSWORD_NAMES:
|
||||
self.assertEqual('PASSWORD', passwords[name])
|
||||
|
||||
|
|
|
|||
|
|
@ -161,6 +161,7 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
|
|||
'NeutronDnsmasqOptions': 'dhcp-option-force=26,1400',
|
||||
'NeutronFlatNetworks': 'datacentre',
|
||||
'NeutronL3HA': False,
|
||||
'NeutronMetadataProxySharedSecret': 'password',
|
||||
'NeutronNetworkVLANRanges': 'datacentre:1:1000',
|
||||
'NeutronPassword': 'password',
|
||||
'NeutronPublicInterface': 'nic1',
|
||||
|
|
@ -326,6 +327,7 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
|
|||
'NeutronL3HA': False,
|
||||
'NeutronNetworkType': 'gre',
|
||||
'NeutronNetworkVLANRanges': 'datacentre:1:1000',
|
||||
'NeutronMetadataProxySharedSecret': 'password',
|
||||
'NeutronPassword': 'password',
|
||||
'NeutronPublicInterface': 'nic1',
|
||||
'NeutronTunnelIdRanges': ['1:1000'],
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@ def generate_overcloud_passwords_mock():
|
|||
"OVERCLOUD_NOVA_PASSWORD",
|
||||
"OVERCLOUD_SWIFT_HASH",
|
||||
"OVERCLOUD_SWIFT_PASSWORD",
|
||||
"NEUTRON_METADATA_PROXY_SHARED_SECRET"
|
||||
)
|
||||
|
||||
return dict((password, 'password') for password in passwords)
|
||||
|
|
|
|||
|
|
@ -48,6 +48,7 @@ _PASSWORD_NAMES = (
|
|||
"OVERCLOUD_NOVA_PASSWORD",
|
||||
"OVERCLOUD_SWIFT_HASH",
|
||||
"OVERCLOUD_SWIFT_PASSWORD",
|
||||
"NEUTRON_METADATA_PROXY_SHARED_SECRET"
|
||||
)
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -81,6 +81,8 @@ class DeployOvercloud(command.Command):
|
|||
parameters['SwiftPassword'] = passwords['OVERCLOUD_SWIFT_PASSWORD']
|
||||
parameters['SnmpdReadonlyUserPassword'] = (
|
||||
undercloud_ceilometer_snmpd_password)
|
||||
parameters['NeutronMetadataProxySharedSecret'] = (
|
||||
passwords['NEUTRON_METADATA_PROXY_SHARED_SECRET'])
|
||||
|
||||
def _update_paramaters(self, args, network_client, stack):
|
||||
parameters = constants.PARAMETERS.copy()
|
||||
|
|
|
|||
Loading…
Reference in New Issue