Glance Client

Update how tokens are redacted from plaintext exposure

Bug #1329301 reported by Stuart McLaren on 2014-06-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance Client	Fix Released	Low	Travis Tripp
	python-keystoneclient	Fix Released	Low	Brant Knudson	python-keystoneclient 0.11.2

Bug Description

We should move from this approach:

https://review.openstack.org/#/c/83350/

to whatever cross-project approach is agreed upon:

See this thread:

http://lists.openstack.org/pipermail/openstack-dev/2014-June/037345.html

Tags:

Revision history for this message

Travis Tripp (travis-tripp) wrote on 2014-09-12:

I just went through the thread and as best as I can tell there wasn’t a conclusion in the ML. However, if we are going to do anything, IMO the thread leans toward {SHA1}<sha1oftoken>, with Morgan Fainberg dissenting. However, he references a patch that was ultimately abandoned.

Sent new message out to ML.

Changed in python-glanceclient:
status:	New → Incomplete
tags:	added: security
tags:	added: ops

Revision history for this message

Stuart McLaren (stuart-mclaren) wrote on 2014-09-12:

Here's what nova went with: https://review.openstack.org/#/c/99511/
swift seem to be following suit: https://review.openstack.org/#/c/99632/

Revision history for this message

Travis Tripp (travis-tripp) wrote on 2014-09-15:

Download full text (4.1 KiB)

From new Mailing list thread: http://lists.openstack.org/pipermail/openstack-dev/2014-September/045802.html

So, will propose fix similar to swift which copied from Nova.

-----Original Message-----
From: Morgan Fainberg [mailto:<email address hidden>]
Sent: Friday, September 12, 2014 3:39 PM
To: Brant Knudson; OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] masking X-Auth-Token in debug output - proposed consistency

-----Original Message-----
From: Brant Knudson <email address hidden>
Reply: OpenStack Development Mailing List (not for usage questions) <email address hidden>>
Date: September 12, 2014 at 14:32:20
To: OpenStack Development Mailing List (not for usage questions) <email address hidden>>
Subject: Re: [openstack-dev] masking X-Auth-Token in debug output - proposed consistency

> On Fri, Sep 12, 2014 at 12:02 PM, Tripp, Travis S
> wrote:
>
> >
> > From Jamie Lennox:
> > >> We handle this in the keystoneclient Session object by just
> > >> printing
> > REDACTED or something similar.
> > >> The problem with using a SHA1 is that for backwards compatability
> > >> we
> > often use the SHA1 of a PKI token
> > >> as if it were a UUID token and so this is still sensitive data.
> > >> There
> > is working in keystone by morganfainberg
> > >> (which i think was merged) to add a new audit_it which will be
> > >> able to
> > identify a token across calls without
> > >> exposing any sensitive information. We will support this in
> > >> session
> > when available.
> >
> > From Sean Dague
> > > So the problem is that means we are currently leaking secrets and
> > > making
> > the logs unreadable.
> >
> > > It seems like we should move forward with the {SHA1} ... and if
> > > that is
> > still sensitive, address that later.
> > > Not addressing it basically keeps the exposure and destroys
> > > usability of
> > the code because there is so much garbage printed out.
> >
> > I understand Sean's point about debugging. Right now the
> > glanceclient is just printing ***. So it isn't printing a lot of
> > excess and isn't leaking anything sensitive. The other usability
> > concern with the *** that Sean previously mentioned was having a
> > short usable string might be useful for debugging.
> >
> > Morgan and Jamie, You think switching to SHA1 in actually adds a
> > potential security vulnerability to glanceclient that doesn't exist
> > now. If that is true, I think it would override the additional
> > debugging concern of using
> > SHA1 for now. Can you please confirm?
> >
> > If only for consistency sake, I could switch to "TOKEN_REDACTED"
> > like the code sample Morgan sent. [1]
> >
> > [1]
> > https://github.com/openstack/python-keystoneclient/blob/01cabf6bbbee
> > 8b5340295f3be5e1fa7111387e7d/keystoneclient/session.py#L126-L131
> >
>
> As the person who proposed the change to print TOKEN_REDACTED, I'd be
> happy to see it printed as {SHA1} instead. I only had it print
> TOKEN_REDACTED because I was concerned that we were still logging
> tokens and wanted to get something merged that didn't do that rather
> than waiting for the perfect solution to come along....

From new Mailing list thread: http://lists.openstack.org/pipermail/openstack-dev/2014-September/045802.html

So, will propose fix similar to swift which copied from Nova.

-----Original Message-----
From: Morgan Fainberg [mailto:morgan.fainberg@gmail.com] 
Sent: Friday, September 12, 2014 3:39 PM
To: Brant Knudson; OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] masking X-Auth-Token in debug output - proposed consistency

-----Original Message-----
From: Brant Knudson <blk@acm.org>
Reply: OpenStack Development Mailing List (not for usage questions) <openstack-dev@lists.openstack.org>>
Date: September 12, 2014 at 14:32:20
To: OpenStack Development Mailing List (not for usage questions) <openstack-dev@lists.openstack.org>>
Subject:  Re: [openstack-dev] masking X-Auth-Token in debug output - proposed consistency

> On Fri, Sep 12, 2014 at 12:02 PM, Tripp, Travis S
> wrote:
>  
> >
> > From Jamie Lennox:
> > >> We handle this in the keystoneclient Session object by just 
> > >> printing
> > REDACTED or something similar.
> > >> The problem with using a SHA1 is that for backwards compatability 
> > >> we
> > often use the SHA1 of a PKI token
> > >> as if it were a UUID token and so this is still sensitive data. 
> > >> There
> > is working in keystone by morganfainberg
> > >> (which i think was merged) to add a new audit_it which will be 
> > >> able to
> > identify a token across calls without
> > >> exposing any sensitive information. We will support this in 
> > >> session
> > when available.
> >
> > From Sean Dague
> > > So the problem is that means we are currently leaking secrets and 
> > > making
> > the logs unreadable.
> >
> > > It seems like we should move forward with the {SHA1} ... and if 
> > > that is
> > still sensitive, address that later.
> > > Not addressing it basically keeps the exposure and destroys 
> > > usability of
> > the code because there is so much garbage printed out.
> >
> > I understand Sean's point about debugging. Right now the 
> > glanceclient is just printing ***. So it isn't printing a lot of 
> > excess and isn't leaking anything sensitive. The other usability 
> > concern with the *** that Sean previously mentioned was having a 
> > short usable string might be useful for debugging.
> >
> > Morgan and Jamie, You think switching to SHA1 in actually adds a 
> > potential security vulnerability to glanceclient that doesn't exist 
> > now. If that is true, I think it would override the additional 
> > debugging concern of using
> > SHA1 for now. Can you please confirm?
> >
> > If only for consistency sake, I could switch to "TOKEN_REDACTED" 
> > like the code sample Morgan sent. [1]
> >
> > [1]
> > https://github.com/openstack/python-keystoneclient/blob/01cabf6bbbee
> > 8b5340295f3be5e1fa7111387e7d/keystoneclient/session.py#L126-L131
> >
>  
> As the person who proposed the change to print TOKEN_REDACTED, I'd be 
> happy to see it printed as {SHA1} instead. I only had it print 
> TOKEN_REDACTED because I was concerned that we were still logging 
> tokens and wanted to get something merged that didn't do that rather 
> than waiting for the perfect solution to come along.
>  
> Since we have configurable token hashing algorithm support in keystone 
> and auth_token middleware, it's possible that someone could lose their 
> sanity and decide to use sha1 as the hash algorithm (it defaults to 
> MD5, which some security standards say is inadequate), and now your 
> logs have usable token IDs instead of an unusable hash, ***, 
> TOKEN_REDACTED, or whatever. We could accept this as a risk, and we 
> could mitigate the risk some by changing keystone to reject sha1 as a hashing algorithm.
>  
> - Brant

Ideally, I want to see the use of the audit_ids (in each token as of Juno) as the end goal. If we can get there as fast as changing to the {SHA1}, I’d advocate for that. Brant nicely outlined why we didn’t go with SHA1 earlier on in the cycle.

I think we are close to solving this in a better way than using sha1, but if we need a stop-gap we can go towards that for the short term (and disallow sha1 as a hash for Keystone).

—Morgan

Travis Tripp (travis-tripp) on 2014-09-15

Changed in python-glanceclient:
status:	Incomplete → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-16: Fix merged to python-glanceclient (master)

Reviewed: https://review.openstack.org/121692
Committed: https://git.openstack.org/cgit/openstack/python-glanceclient/commit/?id=f980fc549247fa2deb87dfacebc6d8d13ccd45d1
Submitter: Jenkins
Branch: master

commit f980fc549247fa2deb87dfacebc6d8d13ccd45d1
Author: Travis Tripp <email address hidden>
Date: Mon Sep 15 16:17:18 2014 -0600

Update how tokens are redacted

Using SHA-1 to match how Nova and Swift redact their tokens.
Was discussed in the below thread:

http://lists.openstack.org/pipermail/openstack-dev/2014-September/045802.html

Here's what nova went with: https://review.openstack.org/#/c/99511/
swift seem to be following suit: https://review.openstack.org/#/c/99632/

Change-Id: I3045d6d9d2a13770f4022dbbd474b34eb1032f6e
Closes-bug: 1329301

Changed in python-glanceclient:
status:	In Progress → Fix Committed

Travis Tripp (travis-tripp) on 2014-09-16

Changed in python-glanceclient:
assignee:	nobody → Travis Tripp (travis-tripp)

Louis Taylor (kragniz) on 2014-09-21

Changed in python-glanceclient:
status:	Fix Committed → Fix Released

Brant Knudson (blk-u) on 2014-10-02

Changed in python-keystoneclient:
assignee:	nobody → Brant Knudson (blk-u)
status:	New → In Progress

Dolph Mathews (dolph) on 2014-10-02

summary:	- Update how tokens are redacted + Update how tokens are redacted from plaintext exposure
Changed in python-keystoneclient:
importance:	Undecided → Low
Changed in python-glanceclient:
importance:	Undecided → Low

Revision history for this message

Brant Knudson (blk-u) wrote on 2014-10-09:

This is https://review.openstack.org/#/c/123819/ in python-keystoneclient.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-09: Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/123819
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=23d20452d24dc3adeb404ab44799585ec1169247
Submitter: Jenkins
Branch: master

commit 23d20452d24dc3adeb404ab44799585ec1169247
Author: Brant Knudson <email address hidden>
Date: Wed Sep 24 14:24:39 2014 -0500

Log token with sha1

By logging the sha1 hash of the token, it can be tracked through
different services.

Closes-bug: #1329301
Change-Id: I9c338f6a418ab8dd34dbaaf918b0ea6e9cbe79d7

Changed in python-keystoneclient:
status:	In Progress → Fix Committed

Morgan Fainberg (mdrnstm) on 2014-10-23

Changed in python-keystoneclient:
milestone:	none → 0.11.2

Morgan Fainberg (mdrnstm) on 2014-10-23

Changed in python-keystoneclient:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.