Bug 1391571

Summary: Debug and -vv outputs user password in plain text
Product: Red Hat OpenStack Reporter: Derek Higgins <derekh>
Component: python-osc-libAssignee: Jon Schlueter <jschluet>
Status: CLOSED ERRATA QA Contact: Julie Pichon <jpichon>
Severity: high Docs Contact:
Priority: unspecified    
Version: 10.0 (Newton)CC: gmollett, jjoyce, jpichon, jschluet, lruzicka, slinaber, tvignaud
Target Milestone: z3Keywords: OtherQA, Triaged, ZStream
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-osc-lib-1.1.0-3.el7ost python-openstackclient-3.2.1-1.el7ost Doc Type: Bug Fix
Doc Text:
When the openstack client ran in debug or verbose mode, the user password was displayed as plain text in the output. The problem has been fixed using the oslo password masking utility. As a result, user passwords are not displayed in plain text any more.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-28 15:27:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Derek Higgins 2016-11-03 15:00:16 UTC 
As per https://bugs.launchpad.net/ossa/+bug/1630822

user password are being output in plaintext if run with --debug

I've confirmed as needing to be fixed in OSP 10, e.g. running
$ openstack --debug baremetal import --json ~/instackenv.json 
displays the line
auth_config_hook(): ... 'password': '5fXXXXXXXXdb', 'app    X 3

All but one patch has been merged in master and newton branches upstream
https://review.openstack.org/#/q/topic:bug/1630822

We need to patch the file client_config.py in both osc-lib and openstackclient
Comment 2 Jon Schlueter 2017-02-14 11:00:44 UTC 
python-openstackclient-3.2.1-1.el7ost contains the fix
Comment 4 Julie Pichon 2017-05-23 15:08:10 UTC 
Testing
=======

With the following RPMs installed, passwords are correctly shown as obfuscated ("***") when using --debug or -vv.

# rpm -qa python-openstackclient
python-openstackclient-3.2.1-1.el7ost.noarch
# rpm -qa python-osc-lib
python-osc-lib-1.1.0-3.el7ost.noarch


$ openstack --debug baremetal import --json ~/instackenv.json
[...]
auth_config_hook(): {'auth_type': 'password', [...], 'password': '***', 'app [...]
[...]
Using parameters {'username': 'admin', 'project_name': 'admin', 'password': '***', 'auth_url': 'https://192.0.2.2:13000/v2.0'}


$ openstack -vv image list
[...]
auth_config_hook(): {'auth_type': 'password', [...], 'password': '***', [...]
[...]
Using parameters {'username': 'admin', 'project_name': 'admin', 'password': '***', 'auth_url': 'https://192.0.2.2:13000/v2.0'}
Comment 7 errata-xmlrpc 2017-06-28 15:27:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1587