Bug 1655742 - [OSP10] fixed_key value is logged in the cinder logs
Summary: [OSP10] fixed_key value is logged in the cinder logs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-cinder
Version: 10.0 (Newton)
Hardware: Unspecified
OS: All
medium
high
Target Milestone: ---
: 10.0 (Newton)
Assignee: Sofia Enriquez
QA Contact: Tzach Shefi
Kim Nylander
URL:
Whiteboard:
Depends On: 1665452 1665456
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-03 19:50 UTC by David Hill
Modified: 2019-04-30 16:58 UTC (History)
3 users (show)

Fixed In Version: openstack-cinder-9.1.4-45.el7ost
Doc Type: Bug Fix
Doc Text:
Previously, the cinder logs contained fixed_key value. With this update, the fixed_key value is not logged.
Clone Of:
: 1665452 1665456 (view as bug list)
Environment:
Last Closed: 2019-04-30 16:58:37 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Launchpad 1806473 None None None 2018-12-03 19:50:56 UTC
OpenStack gerrit 621686 None None None 2018-12-04 18:23:40 UTC
Red Hat Product Errata RHSA-2019:0917 None None None 2019-04-30 16:58:44 UTC

Description David Hill 2018-12-03 19:50:45 UTC
Description of problem:
fixed_key value is logged in the cinder logs

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Set fixed_key value
2.
3.

Actual results:
It's logged in the logs

Expected results:
It shouldn't be logged

Additional info:

Comment 1 Eric Harney 2018-12-04 17:29:11 UTC
This appears to be an OSP10 z8 regression introduced by bug 1547600.

The code in OSP10 used to detect which values to mask by looking for "_key" in the config option name, but this was changed to fix another similar issue.

We will need a fix like https://review.openstack.org/#/c/621686/ for this to be backported to OSP10.

Comment 2 Alan Bishop 2018-12-04 18:20:40 UTC
@Sofia, there's some background on this issue, so poke Eric or I if you have questions.

Comment 3 Sofia Enriquez 2018-12-19 20:05:41 UTC
@Alan, I'm waiting to https://review.openstack.org/#/c/625140/1 to be merged, so I could upstream backport to Newton and then downstream backport to OSP10.

Comment 13 Tzach Shefi 2019-03-31 15:16:46 UTC
Verified on:
openstack-cinder-9.1.4-49.el7ost.noarch


Installed OPS10

Configured fixed_key on cinder.conf

[root@controller-0 ~]# grep fixed_key /etc/cinder/cinder.conf 
# Deprecated group/name - [keymgr]/fixed_key
#fixed_key = <None>
fixed_key=04d6b077d60e323711b37813b3a68a71

restart cinder

[root@controller-0 ~]# systemctl restart openstack-cinder-api.service
[root@controller-0 ~]# systemctl restart openstack-cinder-volume.service


grep fixed_key in cinder's log -> 

[root@controller-0 ~]# grep -irn fixed_key /var/log/cinder/
/var/log/cinder/api.log:1449:2019-03-31 14:46:01.610 61696 DEBUG oslo_service.service [req-2eaf0f8e-9daa-4936-94e2-152ae8af4d71 - - - - -] key_manager.fixed_key          = **** log_opt_values /usr/lib/python2.7/site-packages/oslo_config/cfg.py:2630
/var/log/cinder/api.log:2954:2019-03-31 14:50:12.670 90599 DEBUG oslo_service.service [req-81d0ac35-a3a5-44d8-a69d-069a430ecc6c - - - - -] key_manager.fixed_key          = **** log_opt_values /usr/lib/python2.7/site-packages/oslo_config/cfg.py:2630
/var/log/cinder/api.log:4459:2019-03-31 15:12:56.360 249523 DEBUG oslo_service.service [req-fcb2d120-9569-4d9b-a44b-e9381a05c736 - - - - -] key_manager.fixed_key          = **** log_opt_values /usr/lib/python2.7/site-packages/oslo_config/cfg.py:2630
/var/log/cinder/volume.log:402:2019-03-31 14:56:00.394 125458 DEBUG oslo_service.service [req-1ec85793-7155-4d50-9909-8ebb4ca58824 - - - - -] key_manager.fixed_key          = **** log_opt_values /usr/lib/python2.7/site-packages/oslo_config/cfg.py:2630
/var/log/cinder/volume.log:969:2019-03-31 15:13:35.613 252190 DEBUG oslo_service.service [req-99254f91-3c77-4a4b-89b6-33bf058b08df - - - - -] key_manager.fixed_key          = **** log_opt_v

As can be seen we only see ***** 

Lets be extra sure, look for part of the key in the logs:
[root@controller-0 ~]# grep -irn 04d6b077 /var/log/cinder/
[root@controller-0 ~]# 

Again nothing found, looks good to verify

Comment 15 errata-xmlrpc 2019-04-30 16:58:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0917


Note You need to log in before you can comment on or make changes to this bug.