)]}'
{"ironic/conf/conductor.py":[{"author":{"_account_id":11076,"name":"Shivanand Tendulker","email":"stendulker@gmail.com","username":"stendulker"},"change_message_id":"e6269f830532aa494d111af5810ee030dd88e45e","unresolved":false,"context_lines":[{"line_number":259,"context_line":"                      \u0027will be used by ironic when building UEFI-bootable ISO \u0027"},{"line_number":260,"context_line":"                      \u0027out of kernel and ramdisk. Required for UEFI boot from \u0027"},{"line_number":261,"context_line":"                      \u0027partition images.\u0027)),"},{"line_number":262,"context_line":"    cfg.BoolOpt(\u0027clear_rescue_password_enabled\u0027, default\u003dTrue,"},{"line_number":263,"context_line":"                help\u003d_(\"Whether conductors should provide clear text password \""},{"line_number":264,"context_line":"                       \"to ironic python agent rescue extension or not. \""},{"line_number":265,"context_line":"                       \"Default is True for backward compatibility but False \""}],"source_content_type":"text/x-python","patch_set":5,"id":"3fa7e38b_fe9a615e","line":262,"range":{"start_line":262,"start_character":17,"end_line":262,"end_character":46},"updated":"2019-11-26 15:14:27.000000000","message":"\u0027clear_rescue_password_enabled\u0027 gives impression of some kind of clearing of rescue password. Will it be better to have config as \u0027enable_encrypted_rescue_password\u0027 ?","commit_id":"6d11d05becd84dc828b8083160b37653bee773c9"}],"ironic/drivers/modules/agent_client.py":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"c871b6d90f0f241dea838a9c3d95fe7379dacfdc","unresolved":false,"context_lines":[{"line_number":388,"context_line":"                                              \u0027rescue_password in \u0027"},{"line_number":389,"context_line":"                                              \u0027instance_info\u0027))"},{"line_number":390,"context_line":"        hashed \u003d self._hash_pass_sha512(rescue_pass)"},{"line_number":391,"context_line":"        params \u003d {\u0027rescue_password\u0027: hashed}"},{"line_number":392,"context_line":"        return self._command(node\u003dnode,"},{"line_number":393,"context_line":"                             method\u003d\u0027rescue.finalize_rescue\u0027,"},{"line_number":394,"context_line":"                             params\u003dparams)"}],"source_content_type":"text/x-python","patch_set":3,"id":"3fa7e38b_1aa8c975","line":391,"updated":"2019-11-22 23:08:33.000000000","message":"This breaks backward compability, making the change strictly not backportable.. I wonder if we could use a new field and implement fallback to clear-text password. Then add a configuration option to disable the fallback. WDYT?","commit_id":"18d7b9398b151094e96e0bb34c4a607520f69fb4"},{"author":{"_account_id":15064,"name":"raphael.glon","email":"raphael.glon@corp.ovh.com","username":"raphael"},"change_message_id":"983e12ee2edde673109c636b7f10c80a0bb571ed","unresolved":false,"context_lines":[{"line_number":388,"context_line":"                                              \u0027rescue_password in \u0027"},{"line_number":389,"context_line":"                                              \u0027instance_info\u0027))"},{"line_number":390,"context_line":"        hashed \u003d self._hash_pass_sha512(rescue_pass)"},{"line_number":391,"context_line":"        params \u003d {\u0027rescue_password\u0027: hashed}"},{"line_number":392,"context_line":"        return self._command(node\u003dnode,"},{"line_number":393,"context_line":"                             method\u003d\u0027rescue.finalize_rescue\u0027,"},{"line_number":394,"context_line":"                             params\u003dparams)"}],"source_content_type":"text/x-python","patch_set":3,"id":"3fa7e38b_56229502","line":391,"in_reply_to":"3fa7e38b_1aa8c975","updated":"2019-11-25 09:08:59.000000000","message":"Done. Good idea. This could make the ironic-python-agent related review easier: no pattern needed to decide whether the pass is hashed or not","commit_id":"18d7b9398b151094e96e0bb34c4a607520f69fb4"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"c871b6d90f0f241dea838a9c3d95fe7379dacfdc","unresolved":false,"context_lines":[{"line_number":395,"context_line":""},{"line_number":396,"context_line":"    @staticmethod"},{"line_number":397,"context_line":"    def _hash_pass_sha512(rescue_pass):"},{"line_number":398,"context_line":"        # Salt is useless as long as it goes in clear over network. Never mind,"},{"line_number":399,"context_line":"        # if there is some trusted tls on agent it won\u0027t be useless"},{"line_number":400,"context_line":"        saltchars \u003d string.ascii_letters + string.digits + \u0027./\u0027"},{"line_number":401,"context_line":"        r \u003d random.SystemRandom()"}],"source_content_type":"text/x-python","patch_set":3,"id":"3fa7e38b_3aa3459d","line":398,"updated":"2019-11-22 23:08:33.000000000","message":"Salt is supposed to be in clear text, no? Its role is to complicate building rainbow tables, not to be secret.","commit_id":"18d7b9398b151094e96e0bb34c4a607520f69fb4"},{"author":{"_account_id":15064,"name":"raphael.glon","email":"raphael.glon@corp.ovh.com","username":"raphael"},"change_message_id":"983e12ee2edde673109c636b7f10c80a0bb571ed","unresolved":false,"context_lines":[{"line_number":395,"context_line":""},{"line_number":396,"context_line":"    @staticmethod"},{"line_number":397,"context_line":"    def _hash_pass_sha512(rescue_pass):"},{"line_number":398,"context_line":"        # Salt is useless as long as it goes in clear over network. Never mind,"},{"line_number":399,"context_line":"        # if there is some trusted tls on agent it won\u0027t be useless"},{"line_number":400,"context_line":"        saltchars \u003d string.ascii_letters + string.digits + \u0027./\u0027"},{"line_number":401,"context_line":"        r \u003d random.SystemRandom()"}],"source_content_type":"text/x-python","patch_set":3,"id":"3fa7e38b_f61ce1c2","line":398,"in_reply_to":"3fa7e38b_3aa3459d","updated":"2019-11-25 09:08:59.000000000","message":"Right. Done","commit_id":"18d7b9398b151094e96e0bb34c4a607520f69fb4"}],"releasenotes/notes/feature-hash-password-before-sending-to-agent-126f093ac338e65e.yaml":[{"author":{"_account_id":11076,"name":"Shivanand Tendulker","email":"stendulker@gmail.com","username":"stendulker"},"change_message_id":"e6269f830532aa494d111af5810ee030dd88e45e","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"feature:"},{"line_number":3,"context_line":"  - Possibility to hash password before sending it to rescue as it should not"},{"line_number":4,"context_line":"    transit in clear over network. By default, still sends password in clear"},{"line_number":5,"context_line":"    for backward compatibility."}],"source_content_type":"text/x-yaml","patch_set":5,"id":"3fa7e38b_5e0ff58a","line":5,"range":{"start_line":4,"start_character":35,"end_line":5,"end_character":31},"updated":"2019-11-26 15:14:27.000000000","message":"May be we can deprecate the behavior of sending clear text rescue password as well..","commit_id":"6d11d05becd84dc828b8083160b37653bee773c9"},{"author":{"_account_id":10206,"name":"Madhuri Kumari","email":"madhuri.kumari@intel.com","username":"Madhuri"},"change_message_id":"af3f4d40422392ae815623aec0bbf28518fcc289","unresolved":false,"context_lines":[{"line_number":2,"context_line":"feature:"},{"line_number":3,"context_line":"  - Possibility to hash password before sending it to rescue as it should not"},{"line_number":4,"context_line":"    transit in clear over network. By default, still sends password in clear"},{"line_number":5,"context_line":"    for backward compatibility."}],"source_content_type":"text/x-yaml","patch_set":9,"id":"3fa7e38b_29827b53","line":5,"updated":"2019-12-06 05:59:44.000000000","message":"Good to mention the new config option here [conductor]/encrypted_rescue_password_enabled.","commit_id":"25d396ceb892e2ecfcf594dadf7744b81e2d5481"}]}