Bug 2277186
| Summary: | [GSS] noobaa-operator logs expose aws secret | |||
|---|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat OpenShift Data Foundation | Reporter: | Sonal <sarora> | |
| Component: | Multi-Cloud Object Gateway | Assignee: | Liran Mauda <lmauda> | |
| Status: | CLOSED ERRATA | QA Contact: | Mahesh Shetty <mashetty> | |
| Severity: | high | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 4.12 | CC: | asriram, kbg, lmauda, nbecker, odf-bz-bot, tdesala | |
| Target Milestone: | --- | |||
| Target Release: | ODF 4.16.0 | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | 4.16.0-94 | Doc Type: | Bug Fix | |
| Doc Text: |
.Logs of noobaa-operator expose aws secret
Previously, the noobaa-operator logs exposed the AWS secret as plain text, which caused potential risk that anyone with logs could access the buckets.
With this fix, noobaa-operator logs no longer expose AWS secret.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 2302697 (view as bug list) | Environment: | ||
| Last Closed: | 2024-07-17 13:20:59 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2260844, 2302697 | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.16.0 security, enhancement & bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:4591 Hi Liran, Can this fix be backported to 4.15? Regards, Sonal Arora The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |
Description of problem (please be detailed as possible and provide log snippets): noobaa-operator logs exposes aws secret: ~~~ time="2024-04-24T15:35:24Z" level=info msg="✈️ RPC: account.check_external_connection() Request: {Name:aws-namespacestore EndpointType:AWS Endpoint:https://<ENDPOINT> Identity:<XXX> Secret:<YYY> AuthMethod: AWSSTSARN: IgnoreNameAlreadyExist:false}" ~~~ Version of all relevant components (if applicable): ODF 4.12 Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? No, however sensitive data is exposed in plain text in the logs. This poses a potential risk. Any user with logs can access bucket. Is there any workaround available to the best of your knowledge? No Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? 2 Can this issue reproducible? Yes Can this issue reproduce from the UI? Yes If this is a regression, please provide more details to justify this: No I see a similar issue discussed in https://bugzilla.redhat.com/show_bug.cgi?id=1846759. The bug talk about noobaa-core logs contain aws secret and access key. It was fixed in 4.5. Steps to Reproduce: 1. Deploy ODF 2. Check noobaa-operator logs