1394953 – cinderclient logs passwords in debug logs

Bug 1394953 - cinderclient logs passwords in debug logs

Summary: cinderclient logs passwords in debug logs

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	python-cinderclient
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	ga
Target Release:	10.0 (Newton)
Assignee:	Eric Harney
QA Contact:	Tzach Shefi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-11-14 20:59 UTC by Eric Harney
Modified:	2016-12-14 16:32 UTC (History)
CC List:	5 users (show)
Fixed In Version:	python-cinderclient-1.9.0-2.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-12-14 16:32:45 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Launchpad	1640269	0	None	None	None	2016-11-14 20:59:34 UTC
Red Hat Product Errata	RHEA-2016:2948	0	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 10 enhancement update	2016-12-14 19:55:27 UTC

Description Eric Harney 2016-11-14 20:59:34 UTC

Description of problem:
debug logs can contain passwords in plaintext

Version-Release number of selected component (if applicable):
Newton

Comment 2 Tzach Shefi 2016-11-29 10:09:46 UTC

Eric, I've looked at the LP link. 

#grep -ir auth_password /var/log/cinder/  returns nothing. 
The password should be masked from api.log or other log(s)?

What command was issued causing the password exposing http response to happen?  

Once I issue ^ command I should still see "auth_password" but this time followed by *** rather than the password correct?  

If not how else should I go about verifying this bz?

Comment 3 Eric Harney 2016-11-29 16:15:29 UTC

(In reply to Tzach Shefi from comment #2)

This is about the debug logs from cinderclient, not the Cinder API.

The case noted in the upstream LP bug is from nova compute during volume attach (initialize connection).  The main test would be to set n-cpu to debug and look for the logs like the bug shows.  It is also probably worth running some Cinder commands from the CLI with --debug, but I'm not sure of a test case there that matches the LP description.

Comment 5 Tzach Shefi 2016-12-14 10:53:24 UTC

On A RHOS10 Packstack version: python-cinderclient-1.9.0-4.el7ost.noarch

Ran this command:
#nova --debug volume-attach 11e99e7b-36bf-4fe8-bc85-0612ea4571a4 6a616f6a-2f4b-4ce8-9173-b8dc50d38ccc auto 2>&1 | tee nova_volume_attach_debug.txt

The --debug output didn't show: auth_password or connection_info 

However Nova compute log did: 

"connection_info": {"driver_volume_type": "iscsi", "data": {"auth_password": "3ND3dgd9sVGVxsBT", "target_discovered": false, "encrypted": false, "qos_specs": null, "target_iqn": "iqn.2010-10.org.openstack:volume-6a616f6a-2f4b-4ce8-9173-b8dc50d38ccc", "target_portal": "10.35.117.152:3260", "volume_id": "6a616f6a-2f4b-4ce8-9173-b8

Now what am I looking at, a clear text password or it's hash?
How do I know for sure this is fixed?

Comment 6 Eric Harney 2016-12-14 14:04:15 UTC

The Nova compute log should mask this password.  That needs a separate bug on the nova component to chase.

I think this is fixed for cinderclient now so this BZ should be done.

Comment 8 errata-xmlrpc 2016-12-14 16:32:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html

Note You need to log in before you can comment on or make changes to this bug.