Bug 1655742

Summary: [OSP10] fixed_key value is logged in the cinder logs
Product: Red Hat OpenStack Reporter: David Hill <dhill>
Component: openstack-cinderAssignee: Sofia Enriquez <senrique>
Status: CLOSED ERRATA QA Contact: Tzach Shefi <tshefi>
Severity: high Docs Contact: Kim Nylander <knylande>
Priority: medium    
Version: 10.0 (Newton)CC: abishop, eharney, mgeary
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: All   
Whiteboard:
Fixed In Version: openstack-cinder-9.1.4-45.el7ost Doc Type: Bug Fix
Doc Text:
Previously, the cinder logs contained fixed_key value. With this update, the fixed_key value is not logged.
 Story Points: ---
Clone Of:
: 1665452 1665456 (view as bug list) Environment:
Last Closed: 2019-04-30 16:58:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1665452, 1665456    
Bug Blocks:    

Description David Hill 2018-12-03 19:50:45 UTC 
Description of problem:
fixed_key value is logged in the cinder logs

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Set fixed_key value
2.
3.

Actual results:
It's logged in the logs

Expected results:
It shouldn't be logged

Additional info:
Comment 1 Eric Harney 2018-12-04 17:29:11 UTC 
This appears to be an OSP10 z8 regression introduced by bug 1547600.

The code in OSP10 used to detect which values to mask by looking for "_key" in the config option name, but this was changed to fix another similar issue.

We will need a fix like https://review.openstack.org/#/c/621686/ for this to be backported to OSP10.
Comment 2 Alan Bishop 2018-12-04 18:20:40 UTC 
@Sofia, there's some background on this issue, so poke Eric or I if you have questions.
Comment 3 Sofia Enriquez 2018-12-19 20:05:41 UTC 
@Alan, I'm waiting to https://review.openstack.org/#/c/625140/1 to be merged, so I could upstream backport to Newton and then downstream backport to OSP10.
Comment 13 Tzach Shefi 2019-03-31 15:16:46 UTC 
Verified on:
openstack-cinder-9.1.4-49.el7ost.noarch


Installed OPS10

Configured fixed_key on cinder.conf

[root@controller-0 ~]# grep fixed_key /etc/cinder/cinder.conf 
# Deprecated group/name - [keymgr]/fixed_key
#fixed_key = <None>
fixed_key=04d6b077d60e323711b37813b3a68a71

restart cinder

[root@controller-0 ~]# systemctl restart openstack-cinder-api.service
[root@controller-0 ~]# systemctl restart openstack-cinder-volume.service


grep fixed_key in cinder's log -> 

[root@controller-0 ~]# grep -irn fixed_key /var/log/cinder/
/var/log/cinder/api.log:1449:2019-03-31 14:46:01.610 61696 DEBUG oslo_service.service [req-2eaf0f8e-9daa-4936-94e2-152ae8af4d71 - - - - -] key_manager.fixed_key          = **** log_opt_values /usr/lib/python2.7/site-packages/oslo_config/cfg.py:2630
/var/log/cinder/api.log:2954:2019-03-31 14:50:12.670 90599 DEBUG oslo_service.service [req-81d0ac35-a3a5-44d8-a69d-069a430ecc6c - - - - -] key_manager.fixed_key          = **** log_opt_values /usr/lib/python2.7/site-packages/oslo_config/cfg.py:2630
/var/log/cinder/api.log:4459:2019-03-31 15:12:56.360 249523 DEBUG oslo_service.service [req-fcb2d120-9569-4d9b-a44b-e9381a05c736 - - - - -] key_manager.fixed_key          = **** log_opt_values /usr/lib/python2.7/site-packages/oslo_config/cfg.py:2630
/var/log/cinder/volume.log:402:2019-03-31 14:56:00.394 125458 DEBUG oslo_service.service [req-1ec85793-7155-4d50-9909-8ebb4ca58824 - - - - -] key_manager.fixed_key          = **** log_opt_values /usr/lib/python2.7/site-packages/oslo_config/cfg.py:2630
/var/log/cinder/volume.log:969:2019-03-31 15:13:35.613 252190 DEBUG oslo_service.service [req-99254f91-3c77-4a4b-89b6-33bf058b08df - - - - -] key_manager.fixed_key          = **** log_opt_v

As can be seen we only see ***** 

Lets be extra sure, look for part of the key in the logs:
[root@controller-0 ~]# grep -irn 04d6b077 /var/log/cinder/
[root@controller-0 ~]# 

Again nothing found, looks good to verify
Comment 15 errata-xmlrpc 2019-04-30 16:58:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0917