1578346 – [OSP10] Heat in DEBUG logs private keys when a template creates a keypair

Bug 1578346 - [OSP10] Heat in DEBUG logs private keys when a template creates a keypair

Summary: [OSP10] Heat in DEBUG logs private keys when a template creates a keypair

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-keystone
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	async
Target Release:	10.0 (Newton)
Assignee:	Nathan Kinder
QA Contact:	nlevinki
Docs Contact:
URL:
Whiteboard:
Depends On:	1575945 1578347 1612881
Blocks:	1578343
TreeView+	depends on / blocked

Reported:	2018-05-15 11:07 UTC by Matthew Booth
Modified:	2022-08-16 08:48 UTC (History)
CC List:	19 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	If Nova or Heat is configured to log at the DEBUG log level, private keys were logged as clear text when a keypair was created. oslo.utils now hides private keys in logs.
Clone Of:	1575945
Clones:	1612881 (view as bug list)
Environment:
Last Closed:	2019-10-15 09:44:58 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1770683	None	None	None	2018-05-15 11:07:54 UTC
OpenStack gerrit	567887	None	None	None	2018-05-15 11:07:54 UTC
Red Hat Issue Tracker	OSP-5089	None	None	None	2022-08-16 08:48:17 UTC

Comment 1 Victor Stinner 2018-06-05 13:11:07 UTC

I requested Release oslo.utils 3.28.3 for Pike:
https://review.openstack.org/#/c/572383/

Comment 2 Victor Stinner 2018-06-05 13:38:11 UTC

> I requested Release oslo.utils 3.28.3 for Pike:
> https://review.openstack.org/#/c/572383/

Sorry, this message was for bz#1578347 which targets OSP 12 (Pike).

For this ticket, I backported manually the fix since OSP 10 (Newton) reached end of life: python-oslo-utils-3.16.0-2.el7ost includes the fix and is now ready for tests.

Comment 3 Victor Stinner 2018-07-16 13:51:11 UTC

While the issue has been fixed in oslo.utils, keystone stil needs to be modified to use mask_password() to mask passwords in logs:
https://bugzilla.redhat.com/show_bug.cgi?id=1578347#c12

I changed the component to Keystone and reset the issue status to NEW.

Comment 4 Damien Ciabrini 2018-08-06 13:16:33 UTC

Since that bug requires a fix in both python-oslo-utils and openstack-keystone, I have just clone it [1] to track the python-oslo-utils fix in a dedicated bz.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1612881

Note You need to log in before you can comment on or make changes to this bug.