Bug 1391571 - Debug and -vv outputs user password in plain text
Summary: Debug and -vv outputs user password in plain text
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-osc-lib
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: z3
: 10.0 (Newton)
Assignee: Jon Schlueter
QA Contact: Julie Pichon
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-03 15:00 UTC by Derek Higgins
Modified: 2017-07-31 12:11 UTC (History)
7 users (show)

Fixed In Version: python-osc-lib-1.1.0-3.el7ost python-openstackclient-3.2.1-1.el7ost
Doc Type: Bug Fix
Doc Text:
When the openstack client ran in debug or verbose mode, the user password was displayed as plain text in the output. The problem has been fixed using the oslo password masking utility. As a result, user passwords are not displayed in plain text any more.
Clone Of:
Environment:
Last Closed: 2017-06-28 15:27:21 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 383432 0 None None None 2017-02-14 10:55:08 UTC
OpenStack gerrit 383434 0 None None None 2017-02-14 11:03:11 UTC
Red Hat Product Errata RHBA-2017:1587 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 10 Bug Fix and Enhancement Advisory 2017-06-28 19:11:42 UTC

Description Derek Higgins 2016-11-03 15:00:16 UTC
As per https://bugs.launchpad.net/ossa/+bug/1630822

user password are being output in plaintext if run with --debug

I've confirmed as needing to be fixed in OSP 10, e.g. running
$ openstack --debug baremetal import --json ~/instackenv.json 
displays the line
auth_config_hook(): ... 'password': '5fXXXXXXXXdb', 'app    X 3

All but one patch has been merged in master and newton branches upstream
https://review.openstack.org/#/q/topic:bug/1630822

We need to patch the file client_config.py in both osc-lib and openstackclient

Comment 2 Jon Schlueter 2017-02-14 11:00:44 UTC
python-openstackclient-3.2.1-1.el7ost contains the fix

Comment 4 Julie Pichon 2017-05-23 15:08:10 UTC
Testing
=======

With the following RPMs installed, passwords are correctly shown as obfuscated ("***") when using --debug or -vv.

# rpm -qa python-openstackclient
python-openstackclient-3.2.1-1.el7ost.noarch
# rpm -qa python-osc-lib
python-osc-lib-1.1.0-3.el7ost.noarch


$ openstack --debug baremetal import --json ~/instackenv.json
[...]
auth_config_hook(): {'auth_type': 'password', [...], 'password': '***', 'app [...]
[...]
Using parameters {'username': 'admin', 'project_name': 'admin', 'password': '***', 'auth_url': 'https://192.0.2.2:13000/v2.0'}


$ openstack -vv image list
[...]
auth_config_hook(): {'auth_type': 'password', [...], 'password': '***', [...]
[...]
Using parameters {'username': 'admin', 'project_name': 'admin', 'password': '***', 'auth_url': 'https://192.0.2.2:13000/v2.0'}

Comment 7 errata-xmlrpc 2017-06-28 15:27:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1587


Note You need to log in before you can comment on or make changes to this bug.