Bug 1394953 - cinderclient logs passwords in debug logs
Summary: cinderclient logs passwords in debug logs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-cinderclient
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ga
: 10.0 (Newton)
Assignee: Eric Harney
QA Contact: Tzach Shefi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-14 20:59 UTC by Eric Harney
Modified: 2016-12-14 16:32 UTC (History)
5 users (show)

Fixed In Version: python-cinderclient-1.9.0-2.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-14 16:32:45 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2948 normal SHIPPED_LIVE Red Hat OpenStack Platform 10 enhancement update 2016-12-14 19:55:27 UTC
Launchpad 1640269 None None None 2016-11-14 20:59:34 UTC

Description Eric Harney 2016-11-14 20:59:34 UTC
Description of problem:
debug logs can contain passwords in plaintext

Version-Release number of selected component (if applicable):
Newton

Comment 2 Tzach Shefi 2016-11-29 10:09:46 UTC
Eric, I've looked at the LP link. 

#grep -ir auth_password /var/log/cinder/  returns nothing. 
The password should be masked from api.log or other log(s)?

What command was issued causing the password exposing http response to happen?  

Once I issue ^ command I should still see "auth_password" but this time followed by *** rather than the password correct?  

If not how else should I go about verifying this bz?

Comment 3 Eric Harney 2016-11-29 16:15:29 UTC
(In reply to Tzach Shefi from comment #2)

This is about the debug logs from cinderclient, not the Cinder API.

The case noted in the upstream LP bug is from nova compute during volume attach (initialize connection).  The main test would be to set n-cpu to debug and look for the logs like the bug shows.  It is also probably worth running some Cinder commands from the CLI with --debug, but I'm not sure of a test case there that matches the LP description.

Comment 5 Tzach Shefi 2016-12-14 10:53:24 UTC
On A RHOS10 Packstack version: python-cinderclient-1.9.0-4.el7ost.noarch

Ran this command:
#nova --debug volume-attach 11e99e7b-36bf-4fe8-bc85-0612ea4571a4 6a616f6a-2f4b-4ce8-9173-b8dc50d38ccc auto 2>&1 | tee nova_volume_attach_debug.txt

The --debug output didn't show: auth_password or connection_info 

However Nova compute log did: 

"connection_info": {"driver_volume_type": "iscsi", "data": {"auth_password": "3ND3dgd9sVGVxsBT", "target_discovered": false, "encrypted": false, "qos_specs": null, "target_iqn": "iqn.2010-10.org.openstack:volume-6a616f6a-2f4b-4ce8-9173-b8dc50d38ccc", "target_portal": "10.35.117.152:3260", "volume_id": "6a616f6a-2f4b-4ce8-9173-b8

Now what am I looking at, a clear text password or it's hash?
How do I know for sure this is fixed?

Comment 6 Eric Harney 2016-12-14 14:04:15 UTC
The Nova compute log should mask this password.  That needs a separate bug on the nova component to chase.

I think this is fixed for cinderclient now so this BZ should be done.

Comment 8 errata-xmlrpc 2016-12-14 16:32:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html


Note You need to log in before you can comment on or make changes to this bug.