)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"a59e17e42905ba0b0f25e77aff6870a3f6e957b1","unresolved":false,"context_lines":[{"line_number":4,"context_line":"Commit:     Julia Kreger \u003cjuliaashleykreger@gmail.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2020-02-19 14:04:04 -0800"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"WIP: Hash the rescue_password"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"In order to provide increased security, it is necessary"},{"line_number":10,"context_line":"to hash the rescue password in advance of it being stored"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":11,"id":"3fa7e38b_e06fe25e","line":7,"updated":"2020-02-20 13:50:51.000000000","message":"No longer WIP?","commit_id":"090479095c58118ea23712298ff8633924a05f48"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"8fef8588f8b7d780d7eaf4fe027465bfba84ea26","unresolved":false,"context_lines":[{"line_number":4,"context_line":"Commit:     Julia Kreger \u003cjuliaashleykreger@gmail.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2020-02-19 14:04:04 -0800"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"WIP: Hash the rescue_password"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"In order to provide increased security, it is necessary"},{"line_number":10,"context_line":"to hash the rescue password in advance of it being stored"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":11,"id":"3fa7e38b_c2f74328","line":7,"in_reply_to":"3fa7e38b_e06fe25e","updated":"2020-02-20 21:09:40.000000000","message":"nope, now wip again due to the amount of changes and needing to make sure that things were not horribly broken. :(","commit_id":"090479095c58118ea23712298ff8633924a05f48"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"a59e17e42905ba0b0f25e77aff6870a3f6e957b1","unresolved":false,"context_lines":[{"line_number":16,"context_line":"to stable branches and perform a release as it is a"},{"line_number":17,"context_line":"security improvement."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Depends-On: https://review.opendev.org/#/c/691372/"},{"line_number":20,"context_line":"Change-Id: I1e118467a536229de6f7c245c1c48f0af38dcef2"},{"line_number":21,"context_line":"Story: 2006777"},{"line_number":22,"context_line":"Task: 27301"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":11,"id":"3fa7e38b_006b1e54","line":19,"updated":"2020-02-20 13:50:51.000000000","message":"Not needed","commit_id":"090479095c58118ea23712298ff8633924a05f48"},{"author":{"_account_id":24828,"name":"Kaifeng Wang","email":"kaifeng.w@gmail.com","username":"wangkf"},"change_message_id":"75ca05db7ee6671aa757542718ac160e12c6de2f","unresolved":false,"context_lines":[{"line_number":11,"context_line":"into the database and to provide some sort of control for"},{"line_number":12,"context_line":"hash strength."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"This change IS incompatible with prior IPA versions,"},{"line_number":15,"context_line":"but I fully expect we will backport the change to IPA on"},{"line_number":16,"context_line":"to stable branches and perform a release as it is a"},{"line_number":17,"context_line":"security improvement."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":14,"id":"1fa4df85_49b74af6","line":14,"range":{"start_line":14,"start_character":15,"end_line":14,"end_character":27},"updated":"2020-03-11 01:49:46.000000000","message":":( This is always an overhead in production, can we make it optional, e.g, None to not hashing?","commit_id":"93a2ede72fb1a4e8cbbe9e5ce34b233cd7c31c15"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"1ee947fe7d0f92d39af2bf5e268b98d65c608742","unresolved":false,"context_lines":[{"line_number":11,"context_line":"into the database and to provide some sort of control for"},{"line_number":12,"context_line":"hash strength."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"This change IS incompatible with prior IPA versions,"},{"line_number":15,"context_line":"but I fully expect we will backport the change to IPA on"},{"line_number":16,"context_line":"to stable branches and perform a release as it is a"},{"line_number":17,"context_line":"security improvement."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":14,"id":"1fa4df85_f8fef536","line":14,"range":{"start_line":14,"start_character":15,"end_line":14,"end_character":27},"in_reply_to":"1fa4df85_49b74af6","updated":"2020-03-11 14:31:37.000000000","message":"Why not do the similar thing to agent tokens? I.e. detect the IPA version to know whether to hash the password and then provide an option to force hashing?","commit_id":"93a2ede72fb1a4e8cbbe9e5ce34b233cd7c31c15"},{"author":{"_account_id":24828,"name":"Kaifeng Wang","email":"kaifeng.w@gmail.com","username":"wangkf"},"change_message_id":"9264ac476b5e995a97405aaf3ab5b274cb8054a9","unresolved":false,"context_lines":[{"line_number":11,"context_line":"into the database and to provide some sort of control for"},{"line_number":12,"context_line":"hash strength."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"This change IS incompatible with prior IPA versions,"},{"line_number":15,"context_line":"but I fully expect we will backport the change to IPA on"},{"line_number":16,"context_line":"to stable branches and perform a release as it is a"},{"line_number":17,"context_line":"security improvement."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":14,"id":"1fa4df85_90a3f900","line":14,"range":{"start_line":14,"start_character":15,"end_line":14,"end_character":27},"in_reply_to":"1fa4df85_7e44231c","updated":"2020-03-13 01:48:53.000000000","message":"It\u0027s optional, but still an operation a tenant can do, I can imagine user will complain when his rescue failed and the desire to kick admin off :)\nAnyway, I think it\u0027s acceptable, the global rescue_kernel/ramdisk option can spread some love on this.","commit_id":"93a2ede72fb1a4e8cbbe9e5ce34b233cd7c31c15"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"283f4b6c61e0cad1d1f187bd5680575a67a6e50d","unresolved":false,"context_lines":[{"line_number":11,"context_line":"into the database and to provide some sort of control for"},{"line_number":12,"context_line":"hash strength."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"This change IS incompatible with prior IPA versions,"},{"line_number":15,"context_line":"but I fully expect we will backport the change to IPA on"},{"line_number":16,"context_line":"to stable branches and perform a release as it is a"},{"line_number":17,"context_line":"security improvement."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":14,"id":"1fa4df85_b7bfdea8","line":14,"range":{"start_line":14,"start_character":15,"end_line":14,"end_character":27},"in_reply_to":"1fa4df85_90a3f900","updated":"2020-03-17 09:06:40.000000000","message":"Sorry, Julia, I don\u0027t quite get it. I understand that we want to be in a more secure place, but we also don\u0027t want to introduce breakages for people who may not care much (think, single-tenant trusted deployments).\n\nAnother thought: if this change is compatible, it may be backportable. Otherwise it\u0027s strictly Ussuri-only.","commit_id":"93a2ede72fb1a4e8cbbe9e5ce34b233cd7c31c15"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"760340ab136c107194d00ec99e436f24d95be92a","unresolved":false,"context_lines":[{"line_number":11,"context_line":"into the database and to provide some sort of control for"},{"line_number":12,"context_line":"hash strength."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"This change IS incompatible with prior IPA versions,"},{"line_number":15,"context_line":"but I fully expect we will backport the change to IPA on"},{"line_number":16,"context_line":"to stable branches and perform a release as it is a"},{"line_number":17,"context_line":"security improvement."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":14,"id":"1fa4df85_7e44231c","line":14,"range":{"start_line":14,"start_character":15,"end_line":14,"end_character":27},"in_reply_to":"1fa4df85_f8fef536","updated":"2020-03-11 22:52:32.000000000","message":"Kaifeng, Well, rescue is kind of optional, and it is only during rescue.\n\nDmitry, There is no way. We receive this password from the API client, be it nova or a user directly invoking rescue from OSC or another api client. So the hashing is also intended to secure the data at rest. Additionally, the driver_internal_info field is optional nor would have been possibly be at all representative of the current ram disk.","commit_id":"93a2ede72fb1a4e8cbbe9e5ce34b233cd7c31c15"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"b19bfaf7ad662d6b67a25a687032138153fea567","unresolved":false,"context_lines":[{"line_number":11,"context_line":"into the database and to provide some sort of control for"},{"line_number":12,"context_line":"hash strength."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"This change IS incompatible with prior IPA versions with"},{"line_number":15,"context_line":"regard to use of the rescue feature, but I fully expect"},{"line_number":16,"context_line":"we will backport the change to IPA on to stable branches"},{"line_number":17,"context_line":"and perform a release as it is a security improvement."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":20,"id":"df33271e_29f19ace","line":14,"updated":"2020-03-26 15:30:10.000000000","message":"It\u0027s now compatible","commit_id":"fcaefdbe74c63d6ad42fd23cdb5cb98373d83443"}],"devstack/lib/ironic":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"1b8ab6821eb9a91ed67cce2a43a0cdb3548507a3","unresolved":false,"context_lines":[{"line_number":470,"context_line":"IRONIC_DEPLOY_FAST_TRACK\u003d${IRONIC_DEPLOY_FAST_TRACK:-False}"},{"line_number":471,"context_line":""},{"line_number":472,"context_line":"# If to require passwords being received by rescue to be hashed prior to transmission."},{"line_number":473,"context_line":"IRONIC_REQUIRE_HASHED_RESCUE_PASSWORD\u003d${IRONIC_REQUIRE_HASHED_RESCUE_PASSWORD:-False}"},{"line_number":474,"context_line":""},{"line_number":475,"context_line":"# Define baremetal min_microversion in tempest config. Default value None is picked from tempest."},{"line_number":476,"context_line":"TEMPEST_BAREMETAL_MIN_MICROVERSION\u003d${TEMPEST_BAREMETAL_MIN_MICROVERSION:-}"}],"source_content_type":"application/x-shellscript","patch_set":10,"id":"3fa7e38b_e04a94ac","line":473,"updated":"2020-02-19 15:37:56.000000000","message":"Why not true? You set it to true in the CI anyway.","commit_id":"f21b735945c0a050b54395fd323ff9a21e603e7f"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"6bd596fe7e4aba1c8c776d48e71f82700e696345","unresolved":false,"context_lines":[{"line_number":470,"context_line":"IRONIC_DEPLOY_FAST_TRACK\u003d${IRONIC_DEPLOY_FAST_TRACK:-False}"},{"line_number":471,"context_line":""},{"line_number":472,"context_line":"# If to require passwords being received by rescue to be hashed prior to transmission."},{"line_number":473,"context_line":"IRONIC_REQUIRE_HASHED_RESCUE_PASSWORD\u003d${IRONIC_REQUIRE_HASHED_RESCUE_PASSWORD:-False}"},{"line_number":474,"context_line":""},{"line_number":475,"context_line":"# Define baremetal min_microversion in tempest config. Default value None is picked from tempest."},{"line_number":476,"context_line":"TEMPEST_BAREMETAL_MIN_MICROVERSION\u003d${TEMPEST_BAREMETAL_MIN_MICROVERSION:-}"}],"source_content_type":"application/x-shellscript","patch_set":10,"id":"3fa7e38b_97a67d0e","line":473,"in_reply_to":"3fa7e38b_e04a94ac","updated":"2020-02-19 22:05:38.000000000","message":"Done","commit_id":"f21b735945c0a050b54395fd323ff9a21e603e7f"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"1b8ab6821eb9a91ed67cce2a43a0cdb3548507a3","unresolved":false,"context_lines":[{"line_number":1381,"context_line":"    fi"},{"line_number":1382,"context_line":"    if [[ \"$IRONIC_REQUIRE_HASHED_RESCUE_PASSWORD\" \u003d\u003d \"True\" ]]; then"},{"line_number":1383,"context_line":"\t# Mostly API oriented settings for securing rescue password in transit."},{"line_number":1384,"context_line":"\t# should be made mandatory in W* cycle."},{"line_number":1385,"context_line":"        iniset $IRONIC_CONF_FILE api password_hash_strength sha256"},{"line_number":1386,"context_line":"        iniset $IRONIC_CONF_FILE DEFAULT require_rescue_password_hashed True"},{"line_number":1387,"context_line":"    fi"}],"source_content_type":"application/x-shellscript","patch_set":10,"id":"3fa7e38b_804720a5","line":1384,"updated":"2020-02-19 15:37:56.000000000","message":"nit s/tabs/spaces/","commit_id":"f21b735945c0a050b54395fd323ff9a21e603e7f"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"6bd596fe7e4aba1c8c776d48e71f82700e696345","unresolved":false,"context_lines":[{"line_number":1381,"context_line":"    fi"},{"line_number":1382,"context_line":"    if [[ \"$IRONIC_REQUIRE_HASHED_RESCUE_PASSWORD\" \u003d\u003d \"True\" ]]; then"},{"line_number":1383,"context_line":"\t# Mostly API oriented settings for securing rescue password in transit."},{"line_number":1384,"context_line":"\t# should be made mandatory in W* cycle."},{"line_number":1385,"context_line":"        iniset $IRONIC_CONF_FILE api password_hash_strength sha256"},{"line_number":1386,"context_line":"        iniset $IRONIC_CONF_FILE DEFAULT require_rescue_password_hashed True"},{"line_number":1387,"context_line":"    fi"}],"source_content_type":"application/x-shellscript","patch_set":10,"id":"3fa7e38b_f7a1f1f7","line":1384,"in_reply_to":"3fa7e38b_804720a5","updated":"2020-02-19 22:05:38.000000000","message":"Done","commit_id":"f21b735945c0a050b54395fd323ff9a21e603e7f"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"1b8ab6821eb9a91ed67cce2a43a0cdb3548507a3","unresolved":false,"context_lines":[{"line_number":1382,"context_line":"    if [[ \"$IRONIC_REQUIRE_HASHED_RESCUE_PASSWORD\" \u003d\u003d \"True\" ]]; then"},{"line_number":1383,"context_line":"\t# Mostly API oriented settings for securing rescue password in transit."},{"line_number":1384,"context_line":"\t# should be made mandatory in W* cycle."},{"line_number":1385,"context_line":"        iniset $IRONIC_CONF_FILE api password_hash_strength sha256"},{"line_number":1386,"context_line":"        iniset $IRONIC_CONF_FILE DEFAULT require_rescue_password_hashed True"},{"line_number":1387,"context_line":"    fi"},{"line_number":1388,"context_line":"}"}],"source_content_type":"application/x-shellscript","patch_set":10,"id":"3fa7e38b_a0449ca0","line":1385,"updated":"2020-02-19 15:37:56.000000000","message":"I don\u0027t think options like this should be set in devstack, it diverges from the default","commit_id":"f21b735945c0a050b54395fd323ff9a21e603e7f"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"6bd596fe7e4aba1c8c776d48e71f82700e696345","unresolved":false,"context_lines":[{"line_number":1382,"context_line":"    if [[ \"$IRONIC_REQUIRE_HASHED_RESCUE_PASSWORD\" \u003d\u003d \"True\" ]]; then"},{"line_number":1383,"context_line":"\t# Mostly API oriented settings for securing rescue password in transit."},{"line_number":1384,"context_line":"\t# should be made mandatory in W* cycle."},{"line_number":1385,"context_line":"        iniset $IRONIC_CONF_FILE api password_hash_strength sha256"},{"line_number":1386,"context_line":"        iniset $IRONIC_CONF_FILE DEFAULT require_rescue_password_hashed True"},{"line_number":1387,"context_line":"    fi"},{"line_number":1388,"context_line":"}"}],"source_content_type":"application/x-shellscript","patch_set":10,"id":"3fa7e38b_d79cf5bf","line":1385,"in_reply_to":"3fa7e38b_a0449ca0","updated":"2020-02-19 22:05:38.000000000","message":"Done","commit_id":"f21b735945c0a050b54395fd323ff9a21e603e7f"}],"ironic/api/controllers/v1/utils.py":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"31bb981b150396e626049640f59f18a3b56700e0","unresolved":false,"context_lines":[{"line_number":1189,"context_line":"    \"\"\""},{"line_number":1190,"context_line":"    rand \u003d random.SystemRandom()"},{"line_number":1191,"context_line":"    # TODO(TheJulia): Make make this configurable?"},{"line_number":1192,"context_line":"    prefix \u003d \"$6$\"  # SHA512 indicator"},{"line_number":1193,"context_line":"    allowed_chars \u003d string.ascii_letters + string.digits"},{"line_number":1194,"context_line":"    salt \u003d \u0027\u0027.join(rand.choice(allowed_chars) for _ in range(16))"},{"line_number":1195,"context_line":"    return prefix + salt"}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_6152bf15","line":1192,"updated":"2019-10-28 18:02:24.000000000","message":"Yeah, I think we\u0027re going to have to make this selectable.","commit_id":"694e44cc45335b93c233dba3e4c0b8c1de292332"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"31bb981b150396e626049640f59f18a3b56700e0","unresolved":false,"context_lines":[{"line_number":1200,"context_line":""},{"line_number":1201,"context_line":"    :param value: Value to be hashed"},{"line_number":1202,"context_line":"    \"\"\""},{"line_number":1203,"context_line":"    return crypt.crypt(password, make_salt())"}],"source_content_type":"text/x-python","patch_set":1,"id":"3fa7e38b_4176a3a6","line":1203,"updated":"2019-10-28 18:02:24.000000000","message":"Quite possibly, if the selection is none, just return the password back. :\\\n\nThere seems to be issues with some of the parsing possibly on the running OS, so if tinycore doesn\u0027t grok it, we\u0027re going to have issues in CI.","commit_id":"694e44cc45335b93c233dba3e4c0b8c1de292332"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"5b27d9bfdb9aad59fea782f1b712ca707b929a69","unresolved":false,"context_lines":[{"line_number":1273,"context_line":""},{"line_number":1274,"context_line":"    :returns: a valid salt for use with crypt.crypt"},{"line_number":1275,"context_line":"    \"\"\""},{"line_number":1276,"context_line":"    if (CONF.require_rescue_password_hashed"},{"line_number":1277,"context_line":"        and not CONF.api.password_hash_strength):"},{"line_number":1278,"context_line":"        # Fail operations because we can\u0027t move forward,"},{"line_number":1279,"context_line":"        # the configuration is invalid."},{"line_number":1280,"context_line":"        raise exception.InstanceRescueFailure("}],"source_content_type":"text/x-python","patch_set":4,"id":"3fa7e38b_24942036","line":1277,"range":{"start_line":1276,"start_character":0,"end_line":1277,"end_character":49},"updated":"2019-12-19 16:21:25.000000000","message":"@Dmitry, I think my biggest concern over confusion is over parameter names because it feels like we need a \"hard requirement\" and a setting option. Maybe they should be one in the same but We also likely need to move to having an explicit preference, but we can also do that through the config setting.\n\nIn other words, thoughts required.","commit_id":"308654951fa8f4075d56a6b494fad603c7bc5366"},{"author":{"_account_id":11076,"name":"Shivanand Tendulker","email":"stendulker@gmail.com","username":"stendulker"},"change_message_id":"f8913a17591643de7df344d4a96fe9c5f85b9c41","unresolved":false,"context_lines":[{"line_number":1280,"context_line":""},{"line_number":1281,"context_line":""},{"line_number":1282,"context_line":"def make_salt():"},{"line_number":1283,"context_line":"    \"\"\"Generate a random salt with the indiator tag for password type."},{"line_number":1284,"context_line":""},{"line_number":1285,"context_line":"    :returns: a valid salt for use with crypt.crypt"},{"line_number":1286,"context_line":"    \"\"\""}],"source_content_type":"text/x-python","patch_set":6,"id":"3fa7e38b_647d386f","line":1283,"range":{"start_line":1283,"start_character":39,"end_line":1283,"end_character":47},"updated":"2020-02-05 08:42:39.000000000","message":"nit: indicator","commit_id":"6be3b669c499ceeb035f5546a9f7679196752384"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"1b8ab6821eb9a91ed67cce2a43a0cdb3548507a3","unresolved":false,"context_lines":[{"line_number":80,"context_line":"CUSTOM_TRAIT_REGEX \u003d re.compile(\"^%s[A-Z0-9_]+$\" % os_traits.CUSTOM_NAMESPACE)"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"PASSWORD_HASH_FORMAT \u003d {"},{"line_number":83,"context_line":"    \u0027md5\u0027: \u0027$1$\u0027,"},{"line_number":84,"context_line":"    \u0027bcrypt\u0027: \u0027$2a$\u0027,"},{"line_number":85,"context_line":"    \u0027sha256\u0027: \u0027$5$\u0027,"},{"line_number":86,"context_line":"    \u0027sha512\u0027: \u0027$6$\u0027,"}],"source_content_type":"text/x-python","patch_set":10,"id":"3fa7e38b_00549055","line":83,"updated":"2020-02-19 15:37:56.000000000","message":"Let\u0027s drop md5. It causes problems in FIPS environments, insecure and is not even used in devstack.","commit_id":"f21b735945c0a050b54395fd323ff9a21e603e7f"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"6bd596fe7e4aba1c8c776d48e71f82700e696345","unresolved":false,"context_lines":[{"line_number":80,"context_line":"CUSTOM_TRAIT_REGEX \u003d re.compile(\"^%s[A-Z0-9_]+$\" % os_traits.CUSTOM_NAMESPACE)"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"PASSWORD_HASH_FORMAT \u003d {"},{"line_number":83,"context_line":"    \u0027md5\u0027: \u0027$1$\u0027,"},{"line_number":84,"context_line":"    \u0027bcrypt\u0027: \u0027$2a$\u0027,"},{"line_number":85,"context_line":"    \u0027sha256\u0027: \u0027$5$\u0027,"},{"line_number":86,"context_line":"    \u0027sha512\u0027: \u0027$6$\u0027,"}],"source_content_type":"text/x-python","patch_set":10,"id":"3fa7e38b_04381deb","line":83,"in_reply_to":"3fa7e38b_00549055","updated":"2020-02-19 22:05:38.000000000","message":"Done","commit_id":"f21b735945c0a050b54395fd323ff9a21e603e7f"},{"author":{"_account_id":15519,"name":"Iury Gregory Melo Ferreira","display_name":"Iury Gregory","email":"iurygregory@gmail.com","username":"iurygregory"},"change_message_id":"27ad26f127b21f2d399e628496066c372356225e","unresolved":false,"context_lines":[{"line_number":1338,"context_line":"    :returns: a valid salt for use with crypt.crypt"},{"line_number":1339,"context_line":"    \"\"\""},{"line_number":1340,"context_line":""},{"line_number":1341,"context_line":"    rand \u003d random.SystemRandom()"},{"line_number":1342,"context_line":"    prefix \u003d PASSWORD_HASH_FORMAT[CONF.api.password_hash_algorithm]"},{"line_number":1343,"context_line":"    allowed_chars \u003d string.ascii_letters + string.digits"},{"line_number":1344,"context_line":"    salt \u003d \u0027\u0027.join(rand.choice(allowed_chars) for _ in range(16))"}],"source_content_type":"text/x-python","patch_set":14,"id":"1fa4df85_ac05a216","line":1341,"range":{"start_line":1341,"start_character":4,"end_line":1341,"end_character":32},"updated":"2020-03-11 15:02:44.000000000","message":"considering that we want to be in compliance with FIPS I would say to move to secrets module (we talked on irc already)","commit_id":"93a2ede72fb1a4e8cbbe9e5ce34b233cd7c31c15"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"760340ab136c107194d00ec99e436f24d95be92a","unresolved":false,"context_lines":[{"line_number":1338,"context_line":"    :returns: a valid salt for use with crypt.crypt"},{"line_number":1339,"context_line":"    \"\"\""},{"line_number":1340,"context_line":""},{"line_number":1341,"context_line":"    rand \u003d random.SystemRandom()"},{"line_number":1342,"context_line":"    prefix \u003d PASSWORD_HASH_FORMAT[CONF.api.password_hash_algorithm]"},{"line_number":1343,"context_line":"    allowed_chars \u003d string.ascii_letters + string.digits"},{"line_number":1344,"context_line":"    salt \u003d \u0027\u0027.join(rand.choice(allowed_chars) for _ in range(16))"}],"source_content_type":"text/x-python","patch_set":14,"id":"1fa4df85_1e208f49","line":1341,"range":{"start_line":1341,"start_character":4,"end_line":1341,"end_character":32},"in_reply_to":"1fa4df85_ac05a216","updated":"2020-03-11 22:52:32.000000000","message":"based on other feedback, it seems it will just be a passthrough to crypt since they want crypt.mksalt used instead.","commit_id":"93a2ede72fb1a4e8cbbe9e5ce34b233cd7c31c15"},{"author":{"_account_id":24828,"name":"Kaifeng Wang","email":"kaifeng.w@gmail.com","username":"wangkf"},"change_message_id":"75ca05db7ee6671aa757542718ac160e12c6de2f","unresolved":false,"context_lines":[{"line_number":1342,"context_line":"    prefix \u003d PASSWORD_HASH_FORMAT[CONF.api.password_hash_algorithm]"},{"line_number":1343,"context_line":"    allowed_chars \u003d string.ascii_letters + string.digits"},{"line_number":1344,"context_line":"    salt \u003d \u0027\u0027.join(rand.choice(allowed_chars) for _ in range(16))"},{"line_number":1345,"context_line":"    return prefix + salt"},{"line_number":1346,"context_line":""},{"line_number":1347,"context_line":""},{"line_number":1348,"context_line":"def hash_password(password\u003d\u0027\u0027):"}],"source_content_type":"text/x-python","patch_set":14,"id":"1fa4df85_69bec6d5","line":1345,"updated":"2020-03-11 01:49:46.000000000","message":"I am not sure why we need to prefix manually, it seems we can use crypt.mksalt to make a salt according to specified algorithms, one thing I am not clear is bcrypt, I guess it\u0027s blowfish but it\u0027s not available on my system so I can\u0027t validate.","commit_id":"93a2ede72fb1a4e8cbbe9e5ce34b233cd7c31c15"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"1ee947fe7d0f92d39af2bf5e268b98d65c608742","unresolved":false,"context_lines":[{"line_number":1342,"context_line":"    prefix \u003d PASSWORD_HASH_FORMAT[CONF.api.password_hash_algorithm]"},{"line_number":1343,"context_line":"    allowed_chars \u003d string.ascii_letters + string.digits"},{"line_number":1344,"context_line":"    salt \u003d \u0027\u0027.join(rand.choice(allowed_chars) for _ in range(16))"},{"line_number":1345,"context_line":"    return prefix + salt"},{"line_number":1346,"context_line":""},{"line_number":1347,"context_line":""},{"line_number":1348,"context_line":"def hash_password(password\u003d\u0027\u0027):"}],"source_content_type":"text/x-python","patch_set":14,"id":"1fa4df85_98e261a0","line":1345,"in_reply_to":"1fa4df85_69bec6d5","updated":"2020-03-11 14:31:37.000000000","message":"Yeah, I think we should use https://docs.python.org/3.6/library/crypt.html instead of the custom algorithm.","commit_id":"93a2ede72fb1a4e8cbbe9e5ce34b233cd7c31c15"},{"author":{"_account_id":24828,"name":"Kaifeng Wang","email":"kaifeng.w@gmail.com","username":"wangkf"},"change_message_id":"9264ac476b5e995a97405aaf3ab5b274cb8054a9","unresolved":false,"context_lines":[{"line_number":81,"context_line":"PASSWORD_HASH_FORMAT \u003d {"},{"line_number":82,"context_line":"    # Note(TheJulia): This list should include bcrypt, but"},{"line_number":83,"context_line":"    # python3.6 lacks support for blowfish."},{"line_number":84,"context_line":"    # \u0027bcrypt\u0027: crypt.METHOD_BLOWFISH,"},{"line_number":85,"context_line":"    \u0027sha256\u0027: crypt.METHOD_SHA256,"},{"line_number":86,"context_line":"    \u0027sha512\u0027: crypt.METHOD_SHA512,"},{"line_number":87,"context_line":"}"}],"source_content_type":"text/x-python","patch_set":16,"id":"1fa4df85_1ccba51e","line":84,"updated":"2020-03-13 01:48:53.000000000","message":"I think we can add a check during start up whether BLOWFISH is available in the crypt, so that user using python3.7 and above can still benefit from it (in case there is a desire to do so).","commit_id":"4c0a54b731335ddcb3849097c3292be2ad1f044b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"8fb60b38529e2f83ea63a2e909d0727a87e267da","unresolved":false,"context_lines":[{"line_number":81,"context_line":"PASSWORD_HASH_FORMAT \u003d {"},{"line_number":82,"context_line":"    # Note(TheJulia): This list should include bcrypt, but"},{"line_number":83,"context_line":"    # python3.6 lacks support for blowfish."},{"line_number":84,"context_line":"    # \u0027bcrypt\u0027: crypt.METHOD_BLOWFISH,"},{"line_number":85,"context_line":"    \u0027sha256\u0027: crypt.METHOD_SHA256,"},{"line_number":86,"context_line":"    \u0027sha512\u0027: crypt.METHOD_SHA512,"},{"line_number":87,"context_line":"}"}],"source_content_type":"text/x-python","patch_set":16,"id":"1fa4df85_83d5cc1d","line":84,"in_reply_to":"1fa4df85_1ccba51e","updated":"2020-03-16 23:35:47.000000000","message":"But we would also have to do the same for the configuration. I\u0027d prefer we just wait until we increment past 3.6 as our minimum supported version.","commit_id":"4c0a54b731335ddcb3849097c3292be2ad1f044b"}],"ironic/conductor/manager.py":[{"author":{"_account_id":24828,"name":"Kaifeng Wang","email":"kaifeng.w@gmail.com","username":"wangkf"},"change_message_id":"275cf89b848fc2353ca7a1b6d3d60c4cb6f05714","unresolved":false,"context_lines":[{"line_number":611,"context_line":"            # driver validation may check rescue_password, so save it on the"},{"line_number":612,"context_line":"            # node early"},{"line_number":613,"context_line":"            i_info \u003d node.instance_info"},{"line_number":614,"context_line":"            i_info[\u0027rescue_password\u0027] \u003d rescue_password"},{"line_number":615,"context_line":"            i_info[\u0027hashed_rescue_password\u0027] \u003d utils.hash_password("},{"line_number":616,"context_line":"                rescue_password)"},{"line_number":617,"context_line":"            node.instance_info \u003d i_info"}],"source_content_type":"text/x-python","patch_set":20,"id":"df33271e_adcadf6a","line":614,"updated":"2020-03-26 07:03:59.000000000","message":"Considering rescue_password could be None, I think we need a check here so we wouldn\u0027t hash a None value, this will expose a trackback.","commit_id":"fcaefdbe74c63d6ad42fd23cdb5cb98373d83443"}],"ironic/conductor/utils.py":[{"author":{"_account_id":15519,"name":"Iury Gregory Melo Ferreira","display_name":"Iury Gregory","email":"iurygregory@gmail.com","username":"iurygregory"},"change_message_id":"496cb4c04548d2fcc7c9dfbbc74e506c30fd8945","unresolved":false,"context_lines":[{"line_number":46,"context_line":"PASSWORD_HASH_FORMAT \u003d {"},{"line_number":47,"context_line":"    # Note(TheJulia): This list should include bcrypt, but"},{"line_number":48,"context_line":"    # python3.6 lacks support for blowfish."},{"line_number":49,"context_line":"    # \u0027bcrypt\u0027: crypt.METHOD_BLOWFISH,"},{"line_number":50,"context_line":"    \u0027sha256\u0027: crypt.METHOD_SHA256,"},{"line_number":51,"context_line":"    \u0027sha512\u0027: crypt.METHOD_SHA512,"},{"line_number":52,"context_line":"}"}],"source_content_type":"text/x-python","patch_set":19,"id":"df33271e_df9289f6","line":49,"updated":"2020-03-24 19:50:11.000000000","message":"I wouldn\u0027t include bcrypt since it\u0027s not in compliance with FIPS 140-2","commit_id":"22b9e9a718e40c25f769ae859e2879f345e38616"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"fb13075960b824c12d61689e27ccdd3463b97f14","unresolved":false,"context_lines":[{"line_number":46,"context_line":"PASSWORD_HASH_FORMAT \u003d {"},{"line_number":47,"context_line":"    # Note(TheJulia): This list should include bcrypt, but"},{"line_number":48,"context_line":"    # python3.6 lacks support for blowfish."},{"line_number":49,"context_line":"    # \u0027bcrypt\u0027: crypt.METHOD_BLOWFISH,"},{"line_number":50,"context_line":"    \u0027sha256\u0027: crypt.METHOD_SHA256,"},{"line_number":51,"context_line":"    \u0027sha512\u0027: crypt.METHOD_SHA512,"},{"line_number":52,"context_line":"}"}],"source_content_type":"text/x-python","patch_set":19,"id":"df33271e_3a2d8343","line":49,"in_reply_to":"df33271e_df9289f6","updated":"2020-03-24 20:11:22.000000000","message":"good enough reason to excise it.","commit_id":"22b9e9a718e40c25f769ae859e2879f345e38616"},{"author":{"_account_id":24828,"name":"Kaifeng Wang","email":"kaifeng.w@gmail.com","username":"wangkf"},"change_message_id":"275cf89b848fc2353ca7a1b6d3d60c4cb6f05714","unresolved":false,"context_lines":[{"line_number":717,"context_line":""},{"line_number":718,"context_line":"    if \u0027hashed_rescue_password\u0027 in instance_info:"},{"line_number":719,"context_line":"        del instance_info[\u0027hashed_rescue_password\u0027]"},{"line_number":720,"context_line":""},{"line_number":721,"context_line":"    node.instance_info \u003d instance_info"},{"line_number":722,"context_line":"    if save:"},{"line_number":723,"context_line":"        node.save()"}],"source_content_type":"text/x-python","patch_set":20,"id":"df33271e_edba2708","line":720,"updated":"2020-03-26 07:03:59.000000000","message":"nit: pop() would simplify the code block. (inspired by dtantsur)","commit_id":"fcaefdbe74c63d6ad42fd23cdb5cb98373d83443"}],"ironic/conf/api.py":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"1b8ab6821eb9a91ed67cce2a43a0cdb3548507a3","unresolved":false,"context_lines":[{"line_number":63,"context_line":"               default\u003d300,"},{"line_number":64,"context_line":"               help\u003d_(\u0027Maximum interval (in seconds) for agent heartbeats.\u0027)),"},{"line_number":65,"context_line":"    # TODO(TheJulia): Change this to sha512 in the Victoria development cycle."},{"line_number":66,"context_line":"    cfg.StrOpt(\u0027password_hash_strength\u0027,"},{"line_number":67,"context_line":"               default\u003dNone,"},{"line_number":68,"context_line":"               choices\u003d[None, \u0027md5\u0027, \u0027bcrypt\u0027, \u0027sha256\u0027, \u0027sha512\u0027],"},{"line_number":69,"context_line":"               help\u003d_(\u0027Password hash strength to be used for the rescue \u0027"}],"source_content_type":"text/x-python","patch_set":10,"id":"3fa7e38b_20598c8c","line":66,"updated":"2020-02-19 15:37:56.000000000","message":"s/strength/algorithm/ to avoid confusion","commit_id":"f21b735945c0a050b54395fd323ff9a21e603e7f"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"6bd596fe7e4aba1c8c776d48e71f82700e696345","unresolved":false,"context_lines":[{"line_number":63,"context_line":"               default\u003d300,"},{"line_number":64,"context_line":"               help\u003d_(\u0027Maximum interval (in seconds) for agent heartbeats.\u0027)),"},{"line_number":65,"context_line":"    # TODO(TheJulia): Change this to sha512 in the Victoria development cycle."},{"line_number":66,"context_line":"    cfg.StrOpt(\u0027password_hash_strength\u0027,"},{"line_number":67,"context_line":"               default\u003dNone,"},{"line_number":68,"context_line":"               choices\u003d[None, \u0027md5\u0027, \u0027bcrypt\u0027, \u0027sha256\u0027, \u0027sha512\u0027],"},{"line_number":69,"context_line":"               help\u003d_(\u0027Password hash strength to be used for the rescue \u0027"}],"source_content_type":"text/x-python","patch_set":10,"id":"3fa7e38b_e49621ef","line":66,"in_reply_to":"3fa7e38b_20598c8c","updated":"2020-02-19 22:05:38.000000000","message":"Done","commit_id":"f21b735945c0a050b54395fd323ff9a21e603e7f"},{"author":{"_account_id":24828,"name":"Kaifeng Wang","email":"kaifeng.w@gmail.com","username":"wangkf"},"change_message_id":"75ca05db7ee6671aa757542718ac160e12c6de2f","unresolved":false,"context_lines":[{"line_number":62,"context_line":"    cfg.IntOpt(\u0027ramdisk_heartbeat_timeout\u0027,"},{"line_number":63,"context_line":"               default\u003d300,"},{"line_number":64,"context_line":"               help\u003d_(\u0027Maximum interval (in seconds) for agent heartbeats.\u0027)),"},{"line_number":65,"context_line":"    cfg.StrOpt(\u0027password_hash_algorithm\u0027,"},{"line_number":66,"context_line":"               default\u003d\u0027sha256\u0027,"},{"line_number":67,"context_line":"               choices\u003d[\u0027sha256\u0027, \u0027bcrypt\u0027, \u0027sha512\u0027],"},{"line_number":68,"context_line":"               help\u003d_(\u0027Password hash algorithm to be used for the rescue \u0027"}],"source_content_type":"text/x-python","patch_set":14,"id":"1fa4df85_e9de366b","line":65,"range":{"start_line":65,"start_character":16,"end_line":65,"end_character":39},"updated":"2020-03-11 01:49:46.000000000","message":"This option is only used for the rescue, so I feel rescue_password_hash_algorithm is more explicit on the meaing. If the name appears too long, we can change hash_algorithm to a common abbrev like halg.","commit_id":"93a2ede72fb1a4e8cbbe9e5ce34b233cd7c31c15"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"760340ab136c107194d00ec99e436f24d95be92a","unresolved":false,"context_lines":[{"line_number":62,"context_line":"    cfg.IntOpt(\u0027ramdisk_heartbeat_timeout\u0027,"},{"line_number":63,"context_line":"               default\u003d300,"},{"line_number":64,"context_line":"               help\u003d_(\u0027Maximum interval (in seconds) for agent heartbeats.\u0027)),"},{"line_number":65,"context_line":"    cfg.StrOpt(\u0027password_hash_algorithm\u0027,"},{"line_number":66,"context_line":"               default\u003d\u0027sha256\u0027,"},{"line_number":67,"context_line":"               choices\u003d[\u0027sha256\u0027, \u0027bcrypt\u0027, \u0027sha512\u0027],"},{"line_number":68,"context_line":"               help\u003d_(\u0027Password hash algorithm to be used for the rescue \u0027"}],"source_content_type":"text/x-python","patch_set":14,"id":"1fa4df85_bed61b27","line":65,"range":{"start_line":65,"start_character":16,"end_line":65,"end_character":39},"in_reply_to":"1fa4df85_989021f0","updated":"2020-03-11 22:52:32.000000000","message":"I put it in API because the code is in API that the knob controls, and it didn\u0027t seem to really sense to put it anywhere else.","commit_id":"93a2ede72fb1a4e8cbbe9e5ce34b233cd7c31c15"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"1ee947fe7d0f92d39af2bf5e268b98d65c608742","unresolved":false,"context_lines":[{"line_number":62,"context_line":"    cfg.IntOpt(\u0027ramdisk_heartbeat_timeout\u0027,"},{"line_number":63,"context_line":"               default\u003d300,"},{"line_number":64,"context_line":"               help\u003d_(\u0027Maximum interval (in seconds) for agent heartbeats.\u0027)),"},{"line_number":65,"context_line":"    cfg.StrOpt(\u0027password_hash_algorithm\u0027,"},{"line_number":66,"context_line":"               default\u003d\u0027sha256\u0027,"},{"line_number":67,"context_line":"               choices\u003d[\u0027sha256\u0027, \u0027bcrypt\u0027, \u0027sha512\u0027],"},{"line_number":68,"context_line":"               help\u003d_(\u0027Password hash algorithm to be used for the rescue \u0027"}],"source_content_type":"text/x-python","patch_set":14,"id":"1fa4df85_989021f0","line":65,"range":{"start_line":65,"start_character":16,"end_line":65,"end_character":39},"in_reply_to":"1fa4df85_e9de366b","updated":"2020-03-11 14:31:37.000000000","message":"rescue_hash_algo? also I\u0027m not sure [api] is the appropriate place, it\u0027s not a property of the API.","commit_id":"93a2ede72fb1a4e8cbbe9e5ce34b233cd7c31c15"}],"ironic/conf/default.py":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"1b8ab6821eb9a91ed67cce2a43a0cdb3548507a3","unresolved":false,"context_lines":[{"line_number":227,"context_line":"                      \u0027location or extract ESP image from UEFI-bootable \u0027"},{"line_number":228,"context_line":"                      \u0027deploy ISO image.\u0027)),"},{"line_number":229,"context_line":"    cfg.BoolOpt(\u0027require_rescue_password_hashed\u0027,"},{"line_number":230,"context_line":"                default\u003dFalse,  # TODO(TheJulia): Change this to True in W*"},{"line_number":231,"context_line":"                help\u003d_(\u0027Setting to require if the rescue password is to be \u0027"},{"line_number":232,"context_line":"                       \u0027hashed prior to transmission. If the ironic-python\u0027"},{"line_number":233,"context_line":"                       \u0027-agent performing the rescue operation does not \u0027"}],"source_content_type":"text/x-python","patch_set":10,"id":"3fa7e38b_c04d18c7","line":230,"updated":"2020-02-19 15:37:56.000000000","message":"Do we need to insta-deprecate this option? Also it seems redundant with password_hash_algorithm.","commit_id":"f21b735945c0a050b54395fd323ff9a21e603e7f"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"6bd596fe7e4aba1c8c776d48e71f82700e696345","unresolved":false,"context_lines":[{"line_number":227,"context_line":"                      \u0027location or extract ESP image from UEFI-bootable \u0027"},{"line_number":228,"context_line":"                      \u0027deploy ISO image.\u0027)),"},{"line_number":229,"context_line":"    cfg.BoolOpt(\u0027require_rescue_password_hashed\u0027,"},{"line_number":230,"context_line":"                default\u003dFalse,  # TODO(TheJulia): Change this to True in W*"},{"line_number":231,"context_line":"                help\u003d_(\u0027Setting to require if the rescue password is to be \u0027"},{"line_number":232,"context_line":"                       \u0027hashed prior to transmission. If the ironic-python\u0027"},{"line_number":233,"context_line":"                       \u0027-agent performing the rescue operation does not \u0027"}],"source_content_type":"text/x-python","patch_set":10,"id":"3fa7e38b_24b6798e","line":230,"in_reply_to":"3fa7e38b_c04d18c7","updated":"2020-02-19 22:05:38.000000000","message":"given the discussion of forcing it to sha256 by default, I\u0027ll just nuke this option.","commit_id":"f21b735945c0a050b54395fd323ff9a21e603e7f"}],"ironic/drivers/modules/agent_client.py":[{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"8014a5e59d12a40c6467342f37127ce395a5e7b8","unresolved":false,"context_lines":[{"line_number":375,"context_line":"        :raises: IronicException if rescue_password is missing, or when failed"},{"line_number":376,"context_line":"                 to issue the request, or there was a malformed response from"},{"line_number":377,"context_line":"                 the agent."},{"line_number":378,"context_line":"        :raises: AgentAPIError when agent failed to execute specified command."},{"line_number":379,"context_line":"        :returns: A dict containing command response from agent."},{"line_number":380,"context_line":"                  See :func:`get_commands_status` for a command result sample."},{"line_number":381,"context_line":"        \"\"\""}],"source_content_type":"text/x-python","patch_set":8,"id":"3fa7e38b_f3b8e1e7","line":378,"range":{"start_line":378,"start_character":17,"end_line":378,"end_character":30},"updated":"2020-02-07 11:43:01.000000000","message":"Now you catch this one and raise InstanceRescueFailure.","commit_id":"49527b988e2a0f3306ca9fc40c1fd8cc7407b769"},{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"8014a5e59d12a40c6467342f37127ce395a5e7b8","unresolved":false,"context_lines":[{"line_number":395,"context_line":"                                 params\u003dparams)"},{"line_number":396,"context_line":"        except exception.AgentAPIError:"},{"line_number":397,"context_line":"            raise exception.InstanceRescueFailure("},{"line_number":398,"context_line":"                _(\u0027Unable to rescue node due to an out of date agent \u0027"},{"line_number":399,"context_line":"                  \u0027ramdisk. Please contact the administrator to update \u0027"},{"line_number":400,"context_line":"                  \u0027the rescue ramdisk.\u0027))"}],"source_content_type":"text/x-python","patch_set":8,"id":"3fa7e38b_a23459fb","line":400,"range":{"start_line":398,"start_character":1,"end_line":400,"end_character":41},"updated":"2020-02-07 11:43:01.000000000","message":"Nit: Would it make sense here to be more specific about which functionality is missing to give the admin a hint which version to consider?","commit_id":"49527b988e2a0f3306ca9fc40c1fd8cc7407b769"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"a59e17e42905ba0b0f25e77aff6870a3f6e957b1","unresolved":false,"context_lines":[{"line_number":396,"context_line":"            raise exception.InstanceRescueFailure("},{"line_number":397,"context_line":"                _(\u0027Unable to rescue node due to an out of date agent \u0027"},{"line_number":398,"context_line":"                  \u0027ramdisk. Please contact the administrator to update \u0027"},{"line_number":399,"context_line":"                  \u0027the rescue ramdisk to a version greater than 5.0.\u0027))"}],"source_content_type":"text/x-python","patch_set":11,"id":"3fa7e38b_c08ae610","line":399,"updated":"2020-02-20 13:50:51.000000000","message":"\"at least 6.0.0\". 5.0.1 is also greater than 5.0.","commit_id":"090479095c58118ea23712298ff8633924a05f48"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"8fef8588f8b7d780d7eaf4fe027465bfba84ea26","unresolved":false,"context_lines":[{"line_number":396,"context_line":"            raise exception.InstanceRescueFailure("},{"line_number":397,"context_line":"                _(\u0027Unable to rescue node due to an out of date agent \u0027"},{"line_number":398,"context_line":"                  \u0027ramdisk. Please contact the administrator to update \u0027"},{"line_number":399,"context_line":"                  \u0027the rescue ramdisk to a version greater than 5.0.\u0027))"}],"source_content_type":"text/x-python","patch_set":11,"id":"3fa7e38b_c220a3a0","line":399,"in_reply_to":"3fa7e38b_c08ae610","updated":"2020-02-20 21:09:40.000000000","message":"/me wonders why we ended up on 6.0.0 instead of 5... but it may be just due to how long these patches have been up :(","commit_id":"090479095c58118ea23712298ff8633924a05f48"},{"author":{"_account_id":24828,"name":"Kaifeng Wang","email":"kaifeng.w@gmail.com","username":"wangkf"},"change_message_id":"75ca05db7ee6671aa757542718ac160e12c6de2f","unresolved":false,"context_lines":[{"line_number":376,"context_line":"                 to issue the request, or there was a malformed response from"},{"line_number":377,"context_line":"                 the agent."},{"line_number":378,"context_line":"        :raises: AgentAPIError when agent failed to execute specified command."},{"line_number":379,"context_line":"        :raises: InstanceRescueFailure when the agent ramdisk is too old to"},{"line_number":380,"context_line":"                 to support transmission of the rescue password."},{"line_number":381,"context_line":"        :returns: A dict containing command response from agent."},{"line_number":382,"context_line":"                  See :func:`get_commands_status` for a command result sample."}],"source_content_type":"text/x-python","patch_set":14,"id":"1fa4df85_89a0e2f5","line":379,"range":{"start_line":379,"start_character":73,"end_line":379,"end_character":75},"updated":"2020-03-11 01:49:46.000000000","message":"nit: extra word","commit_id":"93a2ede72fb1a4e8cbbe9e5ce34b233cd7c31c15"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"760340ab136c107194d00ec99e436f24d95be92a","unresolved":false,"context_lines":[{"line_number":376,"context_line":"                 to issue the request, or there was a malformed response from"},{"line_number":377,"context_line":"                 the agent."},{"line_number":378,"context_line":"        :raises: AgentAPIError when agent failed to execute specified command."},{"line_number":379,"context_line":"        :raises: InstanceRescueFailure when the agent ramdisk is too old to"},{"line_number":380,"context_line":"                 to support transmission of the rescue password."},{"line_number":381,"context_line":"        :returns: A dict containing command response from agent."},{"line_number":382,"context_line":"                  See :func:`get_commands_status` for a command result sample."}],"source_content_type":"text/x-python","patch_set":14,"id":"1fa4df85_5efe076c","line":379,"range":{"start_line":379,"start_character":73,"end_line":379,"end_character":75},"in_reply_to":"1fa4df85_89a0e2f5","updated":"2020-03-11 22:52:32.000000000","message":"Done","commit_id":"93a2ede72fb1a4e8cbbe9e5ce34b233cd7c31c15"},{"author":{"_account_id":24828,"name":"Kaifeng Wang","email":"kaifeng.w@gmail.com","username":"wangkf"},"change_message_id":"75ca05db7ee6671aa757542718ac160e12c6de2f","unresolved":false,"context_lines":[{"line_number":396,"context_line":"            raise exception.InstanceRescueFailure("},{"line_number":397,"context_line":"                _(\u0027Unable to rescue node due to an out of date agent \u0027"},{"line_number":398,"context_line":"                  \u0027ramdisk. Please contact the administrator to update \u0027"},{"line_number":399,"context_line":"                  \u0027the rescue ramdisk to a version of at least 6.0.0.\u0027))"}],"source_content_type":"text/x-python","patch_set":14,"id":"1fa4df85_0995d286","line":399,"updated":"2020-03-11 01:49:46.000000000","message":"Maybe wording like: update the rescue ramdisk to with an agent version of at least 6.0.0?\nMaybe not correct in grammar.. I just mean the ramdisk version (if someone has versioned them) is not agent version.","commit_id":"93a2ede72fb1a4e8cbbe9e5ce34b233cd7c31c15"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"760340ab136c107194d00ec99e436f24d95be92a","unresolved":false,"context_lines":[{"line_number":396,"context_line":"            raise exception.InstanceRescueFailure("},{"line_number":397,"context_line":"                _(\u0027Unable to rescue node due to an out of date agent \u0027"},{"line_number":398,"context_line":"                  \u0027ramdisk. Please contact the administrator to update \u0027"},{"line_number":399,"context_line":"                  \u0027the rescue ramdisk to a version of at least 6.0.0.\u0027))"}],"source_content_type":"text/x-python","patch_set":14,"id":"1fa4df85_1ef88f7a","line":399,"in_reply_to":"1fa4df85_0995d286","updated":"2020-03-11 22:52:32.000000000","message":"Edited, let me know if it is better.","commit_id":"93a2ede72fb1a4e8cbbe9e5ce34b233cd7c31c15"},{"author":{"_account_id":24828,"name":"Kaifeng Wang","email":"kaifeng.w@gmail.com","username":"wangkf"},"change_message_id":"9264ac476b5e995a97405aaf3ab5b274cb8054a9","unresolved":false,"context_lines":[{"line_number":377,"context_line":"                 the agent."},{"line_number":378,"context_line":"        :raises: AgentAPIError when agent failed to execute specified command."},{"line_number":379,"context_line":"        :raises: InstanceRescueFailure when the agent ramdisk is too old"},{"line_number":380,"context_line":"                 to support transmission of the rescue password."},{"line_number":381,"context_line":"        :returns: A dict containing command response from agent."},{"line_number":382,"context_line":"                  See :func:`get_commands_status` for a command result sample."},{"line_number":383,"context_line":"        \"\"\""}],"source_content_type":"text/x-python","patch_set":16,"id":"1fa4df85_1cc2c5ea","line":380,"range":{"start_line":380,"start_character":47,"end_line":380,"end_character":48},"updated":"2020-03-13 01:48:53.000000000","message":"nit: s//hashed/","commit_id":"4c0a54b731335ddcb3849097c3292be2ad1f044b"},{"author":{"_account_id":24828,"name":"Kaifeng Wang","email":"kaifeng.w@gmail.com","username":"wangkf"},"change_message_id":"275cf89b848fc2353ca7a1b6d3d60c4cb6f05714","unresolved":false,"context_lines":[{"line_number":385,"context_line":"                  See :func:`get_commands_status` for a command result sample."},{"line_number":386,"context_line":"        \"\"\""},{"line_number":387,"context_line":"        rescue_pass \u003d node.instance_info.get(\u0027hashed_rescue_password\u0027)"},{"line_number":388,"context_line":"        # TODO(TheJulia): Remove fallback to use the fallback_rescue_password"},{"line_number":389,"context_line":"        # in the Victoria cycle."},{"line_number":390,"context_line":"        fallback_rescue_pass \u003d node.instance_info.get("},{"line_number":391,"context_line":"            \u0027rescue_password\u0027)"},{"line_number":392,"context_line":"        if not rescue_pass:"},{"line_number":393,"context_line":"            raise exception.IronicException(_(\u0027Agent rescue requires \u0027"},{"line_number":394,"context_line":"                                              \u0027rescue_password in \u0027"}],"source_content_type":"text/x-python","patch_set":20,"id":"df33271e_cdf803c6","line":391,"range":{"start_line":388,"start_character":8,"end_line":391,"end_character":30},"updated":"2020-03-26 07:03:59.000000000","message":"nit: moving this down with L410 seems... hmm, less confusing.","commit_id":"fcaefdbe74c63d6ad42fd23cdb5cb98373d83443"}],"releasenotes/notes/support_to_hash_rescue_password-0915927e41e6d845.yaml":[{"author":{"_account_id":11292,"name":"Arne Wiebalck","email":"Arne.Wiebalck@cern.ch","username":"wiebalck"},"change_message_id":"8014a5e59d12a40c6467342f37127ce395a5e7b8","unresolved":false,"context_lines":[{"line_number":6,"context_line":"    This setting, ``[api]password_hash_strength``, may be set to"},{"line_number":7,"context_line":"    ``md5``, ``bcrypt``, ``sha256``, ``sha512``, or left blank"},{"line_number":8,"context_line":"    which indicates to use the prior behavior. This feature requires"},{"line_number":9,"context_line":"    an ``ironic-python-agent`` version greater than 5.0.0."}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_531bf51b","line":9,"range":{"start_line":9,"start_character":31,"end_line":9,"end_character":57},"updated":"2020-02-07 11:43:01.000000000","message":"Nit: maybe better to say equal or greater than 6.0.0? At least I wouldn\u0027t know if the feature would be in 5.1.0, for instance.\n\nAlso: I understand this will be backported?","commit_id":"49527b988e2a0f3306ca9fc40c1fd8cc7407b769"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"b039a69474910daaa647db3cc78aeebe7a0283f5","unresolved":false,"context_lines":[{"line_number":6,"context_line":"    This setting, ``[api]password_hash_strength``, may be set to"},{"line_number":7,"context_line":"    ``md5``, ``bcrypt``, ``sha256``, ``sha512``, or left blank"},{"line_number":8,"context_line":"    which indicates to use the prior behavior. This feature requires"},{"line_number":9,"context_line":"    an ``ironic-python-agent`` version greater than 5.0.0."}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_bb4d5871","line":9,"range":{"start_line":9,"start_character":31,"end_line":9,"end_character":57},"in_reply_to":"3fa7e38b_531bf51b","updated":"2020-02-18 21:00:46.000000000","message":"The feature can\u0027t really be backported, at least i don\u0027t think. Also, I was thinking changing that in the release note revision time because currently 5.0.1devsomething is the version that is needed since we\u0027ve not cut IPA. we should cut an ipa release soon. :(","commit_id":"49527b988e2a0f3306ca9fc40c1fd8cc7407b769"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"a59e17e42905ba0b0f25e77aff6870a3f6e957b1","unresolved":false,"context_lines":[{"line_number":6,"context_line":"    This setting, ``[api]password_hash_strength``, may be set to"},{"line_number":7,"context_line":"    ``md5``, ``bcrypt``, ``sha256``, ``sha512``, or left blank"},{"line_number":8,"context_line":"    which indicates to use the prior behavior. This feature requires"},{"line_number":9,"context_line":"    an ``ironic-python-agent`` version 6.0.0 or greater"}],"source_content_type":"text/x-yaml","patch_set":11,"id":"3fa7e38b_a087aa0a","line":9,"updated":"2020-02-20 13:50:51.000000000","message":"I think we now enforce it to be uncrypted, so we should probably add an upgrade note to upgrade IPA before trying rescue.","commit_id":"090479095c58118ea23712298ff8633924a05f48"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"5b3f1dacf06334dfc8c9392213339a6986aab011","unresolved":false,"context_lines":[{"line_number":6,"context_line":"    This setting, ``[api]password_hash_strength``, may be set to"},{"line_number":7,"context_line":"    ``md5``, ``bcrypt``, ``sha256``, ``sha512``, or left blank"},{"line_number":8,"context_line":"    which indicates to use the prior behavior. This feature requires"},{"line_number":9,"context_line":"    an ``ironic-python-agent`` version 6.0.0 or greater"}],"source_content_type":"text/x-yaml","patch_set":11,"id":"3fa7e38b_c2cae3a1","line":9,"in_reply_to":"3fa7e38b_a087aa0a","updated":"2020-02-20 21:25:05.000000000","message":"++ needed to see ci slightly happy before i finished updating the patch","commit_id":"090479095c58118ea23712298ff8633924a05f48"},{"author":{"_account_id":24828,"name":"Kaifeng Wang","email":"kaifeng.w@gmail.com","username":"wangkf"},"change_message_id":"9264ac476b5e995a97405aaf3ab5b274cb8054a9","unresolved":false,"context_lines":[{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Adds support for the ``rescue`` operation password to be hashed"},{"line_number":5,"context_line":"    for storage and transmission to the ``ironic-python-agent``."},{"line_number":6,"context_line":"    This setting, ``[api]password_hash_algorithm`` now defaults to"},{"line_number":7,"context_line":"    may be set to ``sha256``, and may be set to"},{"line_number":8,"context_line":"    ``sha256``, or ``sha512``. This requires version ``6.0.0`` to be"},{"line_number":9,"context_line":"    present to utilize ``rescue``."}],"source_content_type":"text/x-yaml","patch_set":16,"id":"1fa4df85_7c0c1942","line":6,"range":{"start_line":6,"start_character":25,"end_line":6,"end_character":48},"updated":"2020-03-13 01:48:53.000000000","message":"Need to change to rescue_password_hash_algorithm accordingly","commit_id":"4c0a54b731335ddcb3849097c3292be2ad1f044b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"8fb60b38529e2f83ea63a2e909d0727a87e267da","unresolved":false,"context_lines":[{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Adds support for the ``rescue`` operation password to be hashed"},{"line_number":5,"context_line":"    for storage and transmission to the ``ironic-python-agent``."},{"line_number":6,"context_line":"    This setting, ``[api]password_hash_algorithm`` now defaults to"},{"line_number":7,"context_line":"    may be set to ``sha256``, and may be set to"},{"line_number":8,"context_line":"    ``sha256``, or ``sha512``. This requires version ``6.0.0`` to be"},{"line_number":9,"context_line":"    present to utilize ``rescue``."}],"source_content_type":"text/x-yaml","patch_set":16,"id":"1fa4df85_23dc1845","line":6,"range":{"start_line":6,"start_character":25,"end_line":6,"end_character":48},"in_reply_to":"1fa4df85_7c0c1942","updated":"2020-03-16 23:35:47.000000000","message":"Done","commit_id":"4c0a54b731335ddcb3849097c3292be2ad1f044b"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"47be6479e97987a88e7161180b662b6cef2c9eb5","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"features:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Adds support for the ``rescue`` operation password to be hashed"},{"line_number":5,"context_line":"    for storage and transmission to the ``ironic-python-agent``."},{"line_number":6,"context_line":"    This setting, ``[api]rescue_password_hash_algorithm`` now defaults to"},{"line_number":7,"context_line":"    may be set to ``sha256``, and may be set to"}],"source_content_type":"text/x-yaml","patch_set":17,"id":"1fa4df85_97d98223","line":4,"range":{"start_line":4,"start_character":4,"end_line":4,"end_character":16},"updated":"2020-03-17 09:09:11.000000000","message":"It\u0027s not \"support\", it\u0027s unconditionally hashed.","commit_id":"b2eb61c63d83d041dd77fa771d3b73e90787c28f"},{"author":{"_account_id":24828,"name":"Kaifeng Wang","email":"kaifeng.w@gmail.com","username":"wangkf"},"change_message_id":"6c4ffae470514b5209283f40565462ec7bd77a08","unresolved":false,"context_lines":[{"line_number":4,"context_line":"    Adds support for the ``rescue`` operation password to be hashed"},{"line_number":5,"context_line":"    for storage and transmission to the ``ironic-python-agent``."},{"line_number":6,"context_line":"    This setting, ``[api]rescue_password_hash_algorithm`` now defaults to"},{"line_number":7,"context_line":"    may be set to ``sha256``, and may be set to"},{"line_number":8,"context_line":"    ``sha256``, or ``sha512``. This requires version ``6.0.0`` to be"},{"line_number":9,"context_line":"    present to utilize ``rescue``."},{"line_number":10,"context_line":"upgrades:"}],"source_content_type":"text/x-yaml","patch_set":17,"id":"1fa4df85_11a4c207","line":7,"range":{"start_line":7,"start_character":4,"end_line":7,"end_character":17},"updated":"2020-03-17 02:45:31.000000000","message":"nit: redundant\nsorry for not spotted earlier :( but we could do it in the reno cleanup :)","commit_id":"b2eb61c63d83d041dd77fa771d3b73e90787c28f"}],"zuul.d/ironic-jobs.yaml":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"1b8ab6821eb9a91ed67cce2a43a0cdb3548507a3","unresolved":false,"context_lines":[{"line_number":121,"context_line":"        IRONIC_REQUIRE_HASHED_RESCUE_PASSWORD: True"},{"line_number":122,"context_line":"        # Remove the line below if you see it, it is only to test the"},{"line_number":123,"context_line":"        # above setting."},{"line_number":124,"context_line":"        IRONIC_BUILD_DEPLOY_RAMDISK: True"},{"line_number":125,"context_line":"      devstack_services:"},{"line_number":126,"context_line":"        n-api: False"},{"line_number":127,"context_line":"        n-api-meta: False"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"3fa7e38b_605f8474","line":124,"updated":"2020-02-19 15:37:56.000000000","message":"Can be removed, the patch is in the builds.","commit_id":"f21b735945c0a050b54395fd323ff9a21e603e7f"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"6bd596fe7e4aba1c8c776d48e71f82700e696345","unresolved":false,"context_lines":[{"line_number":121,"context_line":"        IRONIC_REQUIRE_HASHED_RESCUE_PASSWORD: True"},{"line_number":122,"context_line":"        # Remove the line below if you see it, it is only to test the"},{"line_number":123,"context_line":"        # above setting."},{"line_number":124,"context_line":"        IRONIC_BUILD_DEPLOY_RAMDISK: True"},{"line_number":125,"context_line":"      devstack_services:"},{"line_number":126,"context_line":"        n-api: False"},{"line_number":127,"context_line":"        n-api-meta: False"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"3fa7e38b_a464a94f","line":124,"in_reply_to":"3fa7e38b_605f8474","updated":"2020-02-19 22:05:38.000000000","message":"Done","commit_id":"f21b735945c0a050b54395fd323ff9a21e603e7f"}]}