Set PASSWORD_AUTOCOMPLETE to False in OpenStack Horizon Dashboard
search cancel

Set PASSWORD_AUTOCOMPLETE to False in OpenStack Horizon Dashboard

book

Article ID: 370180

calendar_today

Updated On:

Products

VMware Integrated OpenStack

Issue/Introduction

Security checklist fails on the password autocomplete feature of the Horizon dashboard. 

 

 

Environment

7.3

Cause

Below is the Openstack Security Guide checklist description of this feature.

PASSWORD_AUTOCOMPLETE is not set to False.

A common feature that applications use to provide users with convenience is to cache the password locally in the browser (on the client machine) and have it pre-typed in all subsequent requests. While this feature can be perceived as extremely user-friendly, it introduces a security flaw. The user account becomes easily accessible to anyone who uses the same account on the client machine, potentially leading to a compromise of the user account.

Resolution

Please use the attached patched values.yaml file to replace the original one in the /opt/vmware/data/helm/0/horizon-<build number>.tgz archive.

  • SSH into the VIO Manager and identify the Horizon archive and take backup of it:
ls /opt/vmware/data/helm/0/ | grep horizon
horizon-7.3.0+21849206.tgz

cp  /opt/vmware/data/helm/0/horizon-7.3.0+21849206.tgz  /root/horizon-7.3.0+21849206.tgz.orig
  • Extract the archive into the /tmp directory:
tar -xzvf /opt/vmware/data/helm/0/horizon-7.3.0+21849206.tgz -C /tmp/
  • Copy the values.yaml file to the Horizon directory:
cp /root/values.yaml /tmp/horizon/values.yaml
  • Compress and copy the horizon-7.3.0+21849206.tgz back to the /opt/vmware/data/helm/0/ directory:
cd /tmp
tar -zcvf horizon-7.3.0+21849206.tgz horizon
cp /tmp/horizon-7.3.0+21849206.tgz /opt/vmware/data/helm/0/
  • Run the Helm upgrade command:
helm upgrade horizon1 horizon
Wait for a while until the Horizon pod restarts.
  • After applying this patch, update the Horizon configuration with password_autocomplete set to false:
viocli update horizon
conf:
  horizon:
    local_settings:
      config:
        openstack_neutron_network:
          neutron_backend: dvs
        password_autocomplete: false
  • Verify the configuration after the horizon-server pod restarts again:
osget pods | grep horizon-server
horizon-server-bf4586566-jjbmz     1/1     Running     0          2m27s

osctl exec -it horizon-server-bf4586566-jjbmz grep password_autocomplete /etc/openstack-dashboard/local_settings
#HORIZON_CONFIG["password_autocomplete"] = "off"
HORIZON_CONFIG["password_autocomplete"] = "off"

Attachments

values.yaml get_app
Powered by Wolken Software