cinderclient displays keystone token data when --debug is used

Bug #1341735 reported by Jay Bryant
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-cinderclient
Fix Released
High
Jay Bryant

Bug Description

When using the --debug option with cinderclient it is possible to see the username and password being used to access cinder:

bash-4.1# cinder --debug list

REQ: curl -i http://192.168.122.188:5000/v2.0/tokens -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-cinderclient" -d '{"auth": {"tenantName": "service", "passwordCredentials": {"username": "admin", "password": "openstack1"}}}'

DEBUG:cinderclient.client:
REQ: curl -i http://192.168.122.188:5000/v2.0/tokens -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-cinderclient" -d '{"auth": {"tenantName": "service", "passwordCredentials": {"username": "admin", "password": "openstack1"}}}'

Other projects have changes to resolve this issue:

The neutronclient proposal -
https://review.openstack.org/#/c/93866/9/neutronclient/client.py is to
use 'REDACTED'

There is a novaclient patch in the gate that uses SHA1(<sha1oftoken>) -
https://review.openstack.org/#/c/98443/

Morgan was working on keystone.session patch -
https://review.openstack.org/#/c/98443/

This ML thread discusses the accepted way for handling the situation: http://lists.openstack.org/pipermail/openstack-dev/2014-June/037345.html

Jay Bryant (jsbryant)
Changed in python-cinderclient:
importance: Undecided → High
assignee: nobody → Jay Bryant (jsbryant)
Revision history for this message
Jay Bryant (jsbryant) wrote :
Download full text (5.7 KiB)

Update to this, the first thing that needs to be changed will be based on the changes to Nova to change output from this:

REQ: curl -i 'http://192.168.122.188:8774/v2/04103f5a55c847ad892958019c8b5609/servers/detail' -X GET -H "X-Auth-Project-Id: service" -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token: MIIN8wYJKoZIhvcNAQcCoIIN5DCCDeACAQExCTAHBgUrDgMCGjCCDEkGCSqGSIb3DQEHAaCCDDoEggw2eyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxNC0wNy0xNFQyMDowNzoxMy45NTIyMDIiLCAiZXhwaXJlcyI6ICIyMDE0LTA3LTE0VDIxOjA3OjEzWiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImRlc2NyaXB0aW9uIjogIlNlcnZpY2UgVGVuYW50IiwgImVuYWJsZWQiOiB0cnVlLCAiaWQiOiAiMDQxMDNmNWE1NWM4NDdhZDg5Mjk1ODAxOWM4YjU2MDkiLCAibmFtZSI6ICJzZXJ2aWNlIn19LCAic2VydmljZUNhdGFsb2ciOiBbeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTkyLjE2OC4xMjIuMTg4Ojg3NzQvdjIvMDQxMDNmNWE1NWM4NDdhZDg5Mjk1ODAxOWM4YjU2MDkiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMTkyLjE2OC4xMjIuMTg4Ojg3NzQvdjIvMDQxMDNmNWE1NWM4NDdhZDg5Mjk1ODAxOWM4YjU2MDkiLCAiaWQiOiAiMDAxMTQ4NjA3MWY0NGM3NTgwZjIyNzA0ZTcxYjQ2NjUiLCAicHVibGljVVJMIjogImh0dHA6Ly8xOTIuMTY4LjEyMi4xODg6ODc3NC92Mi8wNDEwM2Y1YTU1Yzg0N2FkODkyOTU4MDE5YzhiNTYwOSJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJjb21wdXRlIiwgIm5hbWUiOiAibm92YSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xOTIuMTY4LjEyMi4xODg6OTY5NiIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xOTIuMTY4LjEyMi4xODg6OTY5NiIsICJpZCI6ICI2YTYxZDAzMjA1MDE0YjQ2YjFhMjM2MTc3ZjkwMGUxNyIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzE5Mi4xNjguMTIyLjE4ODo5Njk2In1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogIm5ldHdvcmsiLCAibmFtZSI6ICJuZXV0cm9uIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzE5Mi4xNjguMTIyLjE4ODo4Nzc0L3YzIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzE5Mi4xNjguMTIyLjE4ODo4Nzc0L3YzIiwgImlkIjogImExMjZiYjBlMmJlNTQ5YWVhMGE1NTFiMmRiNmY4OTBlIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTkyLjE2OC4xMjIuMTg4Ojg3NzQvdjMifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiY29tcHV0ZXYzIiwgIm5hbWUiOiAibm92YSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xOTIuMTY4LjEyMi4xODg6OTI5MiIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xOTIuMTY4LjEyMi4xODg6OTI5MiIsICJpZCI6ICI1NTU3YjE1NTRjZmI0NGU4OTRiYmI2MjQwNjI5NTZkMCIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzE5Mi4xNjguMTIyLjE4ODo5MjkyIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImltYWdlIiwgIm5hbWUiOiAiZ2xhbmNlIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzE5Mi4xNjguMTIyLjE4ODo4Nzc3IiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzE5Mi4xNjguMTIyLjE4ODo4Nzc3IiwgImlkIjogImIxNjNhMDJhZjBhNjQ0NDA5MTdmZTI2NmZhYzMzZmU1IiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTkyLjE2OC4xMjIuMTg4Ojg3NzcifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAibWV0ZXJpbmciLCAibmFtZSI6ICJjZWlsb21ldGVyIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzE5Mi4xNjguMTIyLjE4ODo4Nzc2L3YxLzA0MTAzZjVhNTVjODQ3YWQ4OTI5NTgwMTljOGI1NjA5IiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzE5Mi4xNjguMTIyLjE4ODo4Nzc2L3YxLzA0MTAzZjVhNTVjODQ3YWQ4OTI5NTgwMTljOGI1NjA5IiwgImlkIjogIjdmZGNmYWI2NDViZTRkOGM5NTI3MzFiMTY4ZTMyYTk5IiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTkyLjE2OC4xMjIuMTg4Ojg3NzYvdjEvMDQxMDNmNWE1NWM4NDdhZDg5Mjk1ODAxOWM4YjU2M...

Read more...

summary: - cinderclient displays clear text passwords when --debug is used
+ cinderclient displays keystone token data when --debug is used
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to python-cinderclient (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/107512

Changed in python-cinderclient:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to python-cinderclient (master)

Reviewed: https://review.openstack.org/107512
Committed: https://git.openstack.org/cgit/openstack/python-cinderclient/commit/?id=2274089dc65ea87063151b3d243e7f6b1019db95
Submitter: Jenkins
Branch: master

commit 2274089dc65ea87063151b3d243e7f6b1019db95
Author: Jay S. Bryant <email address hidden>
Date: Wed Jul 16 14:05:17 2014 -0500

    sync latest strutils to python-cinderclient

    This commit syncs the latest strutils code into
    python-cinderclient. The motivation for this sync is to get
    access to the mask_password function that was added with commit
    cb5a804b .

    The sync touches both the strutils.py and gettextutils.py files.
    The detailed breakdown of the sync is as follows:

    Current HEAD in OSLO:
    -----------------------------------
    commit 5fa2dae429a9e37dfd1a527eb3957cea57a3e8c4
    Merge: 5fb12c2 0506d17
    Author: Jenkins <email address hidden>
    Date: Tue Jul 15 10:05:12 2014 +0000
    Merge "cfgfilter has graduated, remove it"
    -----------------------------------

    Changes to strutils.py (newest to oldest):
    -----------------------------------
    cb5a804b Move `mask_password` to strutils
    8a0f5678 Remove str() from LOG.* and exceptions
    fd18c288 Fix safe_encode(): return bytes on Python 3
    302c7c80 strutils: Allow safe_{encode,decode} to take bytes as input
    bec3a5eb Implements SI/IEC unit system conversion to bytes

    Changest to gettextutils.py (newest to oldest):
    -----------------------------------
    3d90045d Backport code for i18n to check lazy at runtime
    de4adbc4 pep8: fixed multiple violations
    9912e5df Add API for creating translation functions
    6cc96d05 Fix test_gettextutils on Python 3
    fd33d1ea Fix gettextutil.Message handling of deep copy failures
    047b2e4e Change lazy translation to retain complete dict
    6d55e26a Add support for translating log levels separately

    Change-Id: Icc38bc97e47c8236ccb82283c246bf266bc62929
    Related-Bug: 1341735

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-cinderclient (master)

Reviewed: https://review.openstack.org/107153
Committed: https://git.openstack.org/cgit/openstack/python-cinderclient/commit/?id=80582f2b860b2dadef7ae07bdbd8395bf03848b1
Submitter: Jenkins
Branch: master

commit 80582f2b860b2dadef7ae07bdbd8395bf03848b1
Author: Jay S. Bryant <email address hidden>
Date: Tue Jul 15 13:51:03 2014 -0500

    Mask passwords in client debug output

    This change looks for the use of 'password' in the data that
    is sent and uses mask_password() to remove the actual password
    text. This change will prevent debug output that is being
    saved from saving passwords.

    A test case is added to verify that password output is being removed.

    Change-Id: I93bde838ea21101df08c0e824d9f9457ed2ad077
    Closes-Bug: 1341735

Changed in python-cinderclient:
status: In Progress → Fix Committed
Changed in python-cinderclient:
milestone: none → 1.3.1
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.