Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1599633 - Horizon SECRET_KEY should be 64 charecters as per upstream documentation
Summary: Horizon SECRET_KEY should be 64 charecters as per upstream documentation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 14.0 (Rocky)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 14.0 (Rocky)
Assignee: RHOS Maint
QA Contact: Gurenko Alex
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-10 09:02 UTC by Eduard Barrera
Modified: 2019-03-18 13:03 UTC (History)
10 users (show)

Fixed In Version: openstack-tripleo-heat-templates-9.2.1-0.20190119154863.el7ost
Doc Type: Enhancement
Doc Text:
This enhancement improves security by increasing the auto-generated SECRET_KEY to 64 characters
Clone Of:
Environment:
Last Closed: 2019-03-18 13:03:09 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
OpenStack gerrit 581274 None None None 2018-07-10 11:20:32 UTC
Red Hat Product Errata RHBA-2019:0446 None None None 2019-03-18 13:03:18 UTC

Description Eduard Barrera 2018-07-10 09:02:05 UTC
Description of problem:

Currently horizon SECRET_KEY is 10 characters long:

"""
https://github.com/openstack/tripleo-heat-templates/blob/master/overcloud.j2.yaml#L320

  HorizonSecret:
    type: OS::TripleO::RandomString
    properties:
length: 10
"""

but upstream documentation says that it should be 64:

https://docs.openstack.org/security-guide/dashboard/secret-key.html

"""
The dashboard depends on a shared SECRET_KEY setting for some security functions. The secret key should be a randomly generated string at least 64 characters long, which must be shared across all active dashboard instances. Compromise of this key may allow a remote attacker to execute arbitrary code. Rotating this key invalidates existing user sessions and caching. Do not commit this key to public repositories.
"""


Expected results:


Additional info:

Comment 8 errata-xmlrpc 2019-03-18 13:03:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0446


Note You need to log in before you can comment on or make changes to this bug.