Bug 1578346
| Summary: | [OSP10] Heat in DEBUG logs private keys when a template creates a keypair | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Matthew Booth <mbooth> | |
| Component: | openstack-keystone | Assignee: | Nathan Kinder <nkinder> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | nlevinki <nlevinki> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | high | |||
| Version: | 10.0 (Newton) | CC: | apevec, dasmith, dciabrin, eglynn, jhakimra, kchamart, lhh, lyarwood, mbooth, mburns, nkinder, nova-maint, pablo.iranzo, sbaker, sbauza, sgordon, shardy, srevivo, vromanso | |
| Target Milestone: | async | Keywords: | Triaged, ZStream | |
| Target Release: | 10.0 (Newton) | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
If Nova or Heat is configured to log at the DEBUG log level, private keys were logged as clear text when a keypair was created. oslo.utils now hides private keys in logs.
|
Story Points: | --- | |
| Clone Of: | 1575945 | |||
| : | 1612881 (view as bug list) | Environment: | ||
| Last Closed: | 2019-10-15 09:44:58 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1575945, 1578347, 1612881 | |||
| Bug Blocks: | 1578343 | |||
|
Comment 1
Victor Stinner
2018-06-05 13:11:07 UTC
> I requested Release oslo.utils 3.28.3 for Pike: > https://review.openstack.org/#/c/572383/ Sorry, this message was for bz#1578347 which targets OSP 12 (Pike). For this ticket, I backported manually the fix since OSP 10 (Newton) reached end of life: python-oslo-utils-3.16.0-2.el7ost includes the fix and is now ready for tests. While the issue has been fixed in oslo.utils, keystone stil needs to be modified to use mask_password() to mask passwords in logs: https://bugzilla.redhat.com/show_bug.cgi?id=1578347#c12 I changed the component to Keystone and reset the issue status to NEW. Since that bug requires a fix in both python-oslo-utils and openstack-keystone, I have just clone it [1] to track the python-oslo-utils fix in a dedicated bz. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1612881 |