vault: Information for authentication appear in debug logs

Bug #2058397 reported by Takashi Kajinami
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Barbican
Fix Released
Undecided
Takashi Kajinami
castellan
Fix Released
Undecided
Takashi Kajinami

Bug Description

The following options of vault key manager are used for authentication with Vault.

root_token_id: This is not actually an id but a token string

approle_role_id and approle_secret_id: approle_role_id and approle_secret_id

However these options currently lack secret=True and appear in debug logs (during start up, when all options are dumped)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to castellan (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/castellan/+/913690

Changed in castellan:
status: New → In Progress
Changed in castellan:
assignee: nobody → Takashi Kajinami (kajinamit)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to barbican (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/barbican/+/913691

Changed in barbican:
status: New → In Progress
Changed in barbican:
assignee: nobody → Takashi Kajinami (kajinamit)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to barbican (master)

Reviewed: https://review.opendev.org/c/openstack/barbican/+/913691
Committed: https://opendev.org/openstack/barbican/commit/82e1782b39ceb1e3abe92323d120045e916db404
Submitter: "Zuul (22348)"
Branch: master

commit 82e1782b39ceb1e3abe92323d120045e916db404
Author: Takashi Kajinami <email address hidden>
Date: Wed Mar 20 00:24:17 2024 +0900

    vault: Hide values used for authentication

    The following options are used for authentication with Vault, so should
    be hidden from logs.

    1) root_token_id
    This is not actually an id but a token string

    2) approle_role_id and approle_secret_id
    These are used together to obtain token

    Closes-Bug: #2058397
    Change-Id: I0650fd12e3f51fc4d829e0be3ab95cd8b3ee03ea

Changed in barbican:
status: In Progress → Fix Released
Changed in castellan:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to castellan (master)

Reviewed: https://review.opendev.org/c/openstack/castellan/+/913690
Committed: https://opendev.org/openstack/castellan/commit/327ee6e979b1ecb0226974f8daa611ee03d746e7
Submitter: "Zuul (22348)"
Branch: master

commit 327ee6e979b1ecb0226974f8daa611ee03d746e7
Author: Takashi Kajinami <email address hidden>
Date: Wed Mar 20 00:17:28 2024 +0900

    vault: Hide values used for authentication

    The following options are used for authentication with Vault, so should
    be hidden from logs.

    1) root_token_id
    This is not actually an id but a token string

    2) approle_role_id and approle_secret_id
    These are used together to obtain token

    Closes-Bug: #2058397
    Change-Id: I000149b6c5017c9548db55ae2517405dc8325808

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/castellan 5.1.0

This issue was fixed in the openstack/castellan 5.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/barbican 19.0.0.0rc1

This issue was fixed in the openstack/barbican 19.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.