From d97f0fb5ec366adf384966e65f4779149ed4c283 Mon Sep 17 00:00:00 2001
From: Dmitry Tantsur <dtantsur@protonmail.com>
Date: Thu, 29 Apr 2021 13:54:55 +0200
Subject: [PATCH] Do not mask configdrive when executing in-band deploy steps
The agent needs to use configdrive, and we do send it over the same
channel when running write_image. There is no point in preventing custom
deploy steps from accessing it.
Change-Id: I93d3966b2c6af1f60bfbb39b3a07056308c6866c
---
ironic/drivers/modules/agent_client.py | 2 +-
ironic/objects/node.py | 10 +++++++---
ironic/tests/unit/objects/test_node.py | 12 ++++++++++++
.../deploy-step-configdrive-86ea2bb267211b88.yaml | 5 +++++
4 files changed, 25 insertions(+), 4 deletions(-)
create mode 100644 releasenotes/notes/deploy-step-configdrive-86ea2bb267211b88.yaml
diff --git a/ironic/drivers/modules/agent_client.py b/ironic/drivers/modules/agent_client.py
index b5b6c3c1a5..6de28e785a 100644
--- a/ironic/drivers/modules/agent_client.py
+++ b/ironic/drivers/modules/agent_client.py
@@ -593,7 +593,7 @@ class AgentClient(object):
"""
params = {
'step': step,
- 'node': node.as_dict(secure=True),
+ 'node': node.as_dict(secure=True, mask_configdrive=False),
'ports': [port.as_dict() for port in ports],
'deploy_version': node.driver_internal_info.get(
'hardware_manager_version')
diff --git a/ironic/objects/node.py b/ironic/objects/node.py
index 013d1b50d6..c8f79f2868 100644
--- a/ironic/objects/node.py
+++ b/ironic/objects/node.py
@@ -168,13 +168,17 @@ class Node(base.IronicObject, object_base.VersionedObjectDictCompat):
'network_data': object_fields.FlexibleDictField(nullable=True),
}
- def as_dict(self, secure=False):
+ def as_dict(self, secure=False, mask_configdrive=True):
d = super(Node, self).as_dict()
if secure:
d['driver_info'] = strutils.mask_dict_password(
d.get('driver_info', {}), "******")
- d['instance_info'] = strutils.mask_dict_password(
- d.get('instance_info', {}), "******")
+ iinfo = d.pop('instance_info', {})
+ if not mask_configdrive:
+ configdrive = iinfo.pop('configdrive', None)
+ d['instance_info'] = strutils.mask_dict_password(iinfo, "******")
+ if not mask_configdrive and configdrive:
+ d['instance_info']['configdrive'] = configdrive
d['driver_internal_info'] = strutils.mask_dict_password(
d.get('driver_internal_info', {}), "******")
return d
diff --git a/ironic/tests/unit/objects/test_node.py b/ironic/tests/unit/objects/test_node.py
index dd23995b9d..a9dd2684b2 100644
--- a/ironic/tests/unit/objects/test_node.py
+++ b/ironic/tests/unit/objects/test_node.py
@@ -61,6 +61,18 @@ class TestNodeObject(db_base.DbTestCase, obj_utils.SchemasTestMixIn):
# Ensure the node can be serialised.
jsonutils.dumps(d)
+ def test_as_dict_secure_with_configdrive(self):
+ self.node.driver_info['ipmi_password'] = 'fake'
+ self.node.instance_info['configdrive'] = 'data'
+ self.node.driver_internal_info['agent_secret_token'] = 'abc'
+ d = self.node.as_dict(secure=True, mask_configdrive=False)
+ self.assertEqual('******', d['driver_info']['ipmi_password'])
+ self.assertEqual('data', d['instance_info']['configdrive'])
+ self.assertEqual('******',
+ d['driver_internal_info']['agent_secret_token'])
+ # Ensure the node can be serialised.
+ jsonutils.dumps(d)
+
def test_as_dict_with_traits(self):
self.fake_node['traits'] = ['CUSTOM_1']
self.node = obj_utils.get_test_node(self.ctxt, **self.fake_node)
diff --git a/releasenotes/notes/deploy-step-configdrive-86ea2bb267211b88.yaml b/releasenotes/notes/deploy-step-configdrive-86ea2bb267211b88.yaml
new file mode 100644
index 0000000000..e3751665a9
--- /dev/null
+++ b/releasenotes/notes/deploy-step-configdrive-86ea2bb267211b88.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+ - |
+ No longer masks configdrive when sending the node's record to in-band
+ deploy steps.