Bug 1772898

Summary: Make mask_password case insensitive, and add new patterns
Product: Red Hat OpenStack Reporter: Hervé Beraud <hberaud>
Component: python-oslo-utilsAssignee: Hervé Beraud <hberaud>
Status: CLOSED ERRATA QA Contact: pkomarov
Severity: high Docs Contact:
Priority: high    
Version: 16.0 (Train)CC: amcleod, apevec, lhh, pkomarov
Target Milestone: z1Keywords: Rebase, RevisionTracker, Triaged, ZStream
Target Release: 16.0 (Train on RHEL 8.1)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-oslo-utils-3.41.3-1.el8ost Doc Type: Bug Fix
Doc Text:
Previously, password-masking patterns were not functioning correctly in oslo.utils. As a result, service logs sometimes contained plan text passwords. With this update, the password-masking patterns function correctly and password leaks in log files do not occur.
 Story Points: ---
Clone Of:
: 1826667 (view as bug list) Environment:
Last Closed: 2020-03-03 09:50:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1826667    

Description Hervé Beraud 2019-11-15 14:04:15 UTC 
It appears that Mistral service logs everything, and doesn't use yet the mask_password (nor mask_dict_password) method. In order to ensure all is properly masked, we have to add some new patterns, and make it case insensitive in order to simplify and avoid duplicated entries. 

Rebase python-oslo-utils to 3.41.4 to pull the fix in current version

The version 3.41.4 will fix a CVE where passwords leaks in logs.

This CVE is fixed by cae9aa72377713c2fc93b5cf3fad05b873a55d6d
Comment 4 Hervé Beraud 2019-11-15 14:39:08 UTC 
Errata:

s/3.41.4/3.41.3/gi

Rebase python-oslo-utils to 3.41.3 to pull the fix in current version

The version 3.41.3 will fix a CVE where logs leaks passwords.
Comment 7 Hervé Beraud 2019-11-15 15:27:04 UTC 
Will be fixed in version python-oslo-utils-3.41.3-1.el8ost

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=24730585
Comment 13 pkomarov 2020-02-18 11:47:24 UTC 
Verified , 


[stack@undercloud-0 ~]$ rpm -qa|grep python3-oslo-utils
python3-oslo-utils-3.41.4-0.20200113095842.39870f6.el8ost.noarch

[root@undercloud-0 mistral]# pwd
/var/log/containers/mistral
[root@undercloud-0 mistral]# grep -q passphrase *
[root@undercloud-0 mistral]# echo $?
0
Comment 14 Alex McLeod 2020-02-19 12:39:28 UTC 
If this bug requires doc text for errata release, please set the 'Doc Type' and provide draft text according to the template in the 'Doc Text' field. The documentation team will review, edit, and approve the text.

If this bug does not require doc text, please set the 'requires_doc_text' flag to '-'.
Comment 16 errata-xmlrpc 2020-03-03 09:50:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0657