Ceilometer

Ceilometer shouldn't record auth info (token) of neutronclient in log

Bug #1436140 reported by Liusheng
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ceilometer
Invalid
Undecided
Liusheng
python-neutronclient
Expired
Undecided
Unassigned

Bug Description

Currently, Ceilometer will record auth info when invoke neutronclient to get resources if we set log_level to DEBUG. like this:

2015-03-21 08:47:18.882 28555 DEBUG neutronclient.client [-]
REQ: curl -i http://10.250.10.246:5000/v2.0/tokens -X POST -H "User-Agent: python-neutronclient" -d '{"auth": {"tenantName": "service", "passwordCredentials": {"username": "ceilometer", "password": "REDACTED"}}}'
 http_log_req /usr/local/lib/python2.7/dist-packages/neutronclient/common/utils.py:130
2015-03-21 08:47:18.883 28555 DEBUG urllib3.util.retry [-] Converted retries value: 0 -> Retry(total=0, connect=None, read=None, redirect=0) from_int /usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py:155
2015-03-21 08:47:19.001 28555 DEBUG neutronclient.client [-] RESP:200 CaseInsensitiveDict({'content-length': '4686', 'vary': 'X-Auth-Token', 'server': 'Apache/2.4.7 (Ubuntu)', 'date': 'Sat, 21 Mar 2015 00:47:18 GMT', 'content-type': 'application/json', 'x-openstack-request-id': 'req-bfde8b07-6cc3-4330-8a0e-c6760fabc5b3'}) {"access": {"token": {"issued_at": "2015-03-21T00:47:18.969327", "expires": "2015-03-21T01:47:18Z", "id": "2e0f30b2b21e4882bdd76728db0c119e", "tenant": {"description": null, "enabled": true, "id": "1e378c6eceed4ddcab74efc7a2716a71", "parent_id": null, "name": "service"}, "audit_ids": ["4YsomDCoS-GyUguh59AFag"]}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://10.250.10.246:8004/v1/1e378c6eceed4ddcab74efc7a2716a71", "region": "RegionOne", "internalURL": "http://10.250.10.246:8004/v1/1e378c6eceed4ddcab74efc7a2716a71", "id": "51df1cf6585c48258c713a6ba710841d", "publicURL": "http://10.250.10.246:8004/v1/1e378c6eceed4ddcab74efc7a2716a71"}], "endpoints_links": [], "type": "orchestration", "name": "heat"}, {"endpoints": [{"adminURL": "http://10.250.10.246:8774/v2/1e378c6eceed4ddcab74efc7a2716a71", "region": "RegionOne", "internalURL": "http://10.250.10.246:8774/v2/1e378c6eceed4ddcab74efc7a2716a71", "id": "b540d1b9a32843eab0e9068a5ecfcb4a", "publicURL": "http://10.250.10.246:8774/v2/1e378c6eceed4ddcab74efc7a2716a71"}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "http://10.250.10.246:9696/", "region": "RegionOne", "internalURL": "http://10.250.10.246:9696/", "id": "546fc177c74840d0a0cee8da35f370b4", "publicURL": "http://10.250.10.246:9696/"}], "endpoints_links": [], "type": "network", "name": "neutron"}, {"endpoints": [{"adminURL": "http://10.250.10.246:8776/v2/1e378c6eceed4ddcab74efc7a2716a71", "region": "RegionOne", "internalURL": "http://10.250.10.246:8776/v2/1e378c6eceed4ddcab74efc7a2716a71", "id": "8e451ebb34124d1c96fe2b589f2b1b8a", "publicURL": "http://10.250.10.246:8776/v2/1e378c6eceed4ddcab74efc7a2716a71"}], "endpoints_links": [], "type": "volumev2", "name": "cinderv2"}, {"endpoints": [{"adminURL": "http://10.250.10.246:3333", "region": "RegionOne", "internalURL": "http://10.250.10.246:3333", "id": "1e79124cdac94bb48bb8d159761e27da", "publicURL": "http://10.250.10.246:3333"}], "endpoints_links": [], "type": "s3", "name": "s3"}, {"endpoints": [{"adminURL": "http://10.250.10.246:9292", "region": "RegionOne", "internalURL": "http://10.250.10.246:9292", "id": "101e2c1acc464ef894a9b409f189e61f", "publicURL": "http://10.250.10.246:9292"}], "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": "http://10.250.10.246:8777/", "region": "RegionOne", "internalURL": "http://10.250.10.246:8777/", "id": "caa28936762d450cbd6dc34ceff6b244", "publicURL": "http://10.250.10.246:8777/"}], "endpoints_links": [], "type": "metering", "name": "ceilometer"}, {"endpoints": [{"adminURL": "http://10.250.10.246:8000/v1", "region": "RegionOne", "internalURL": "http://10.250.10.246:8000/v1", "id": "67d8cd5b9a184c6d9e0a0bc209b485db", "publicURL": "http://10.250.10.246:8000/v1"}], "endpoints_links": [], "type": "cloudformation", "name": "heat-cfn"}, {"endpoints": [{"adminURL": "http://10.250.10.246:8776/v1/1e378c6eceed4ddcab74efc7a2716a71", "region": "RegionOne", "internalURL": "http://10.250.10.246:8776/v1/1e378c6eceed4ddcab74efc7a2716a71", "id": "7f7926b9ebf14f3398301eeb6171c9a8", "publicURL": "http://10.250.10.246:8776/v1/1e378c6eceed4ddcab74efc7a2716a71"}], "endpoints_links": [], "type": "volume", "name": "cinder"}, {"endpoints": [{"adminURL": "http://10.250.10.246:8773/", "region": "RegionOne", "internalURL": "http://10.250.10.246:8773/", "id": "065fbc5ac83346aab1773c54fb821385", "publicURL": "http://10.250.10.246:8773/"}], "endpoints_links": [], "type": "ec2", "name": "ec2"}, {"endpoints": [{"adminURL": "http://10.250.10.246:8774/v2.1/1e378c6eceed4ddcab74efc7a2716a71", "region": "RegionOne", "internalURL": "http://10.250.10.246:8774/v2.1/1e378c6eceed4ddcab74efc7a2716a71", "id": "6d139a786e6d4140818284f29c82fbe2", "publicURL": "http://10.250.10.246:8774/v2.1/1e378c6eceed4ddcab74efc7a2716a71"}], "endpoints_links": [], "type": "computev21", "name": "novav21"}, {"endpoints": [{"adminURL": "http://10.250.10.246:35357/v2.0", "region": "RegionOne", "internalURL": "http://10.250.10.246:5000/v2.0", "id": "62ad49d5235b41eeba55fe0b874ab28f", "publicURL": "http://10.250.10.246:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}, {"endpoints": [{"adminURL": "http://10.250.10.246:8080/v2.0", "region": "RegionOne", "internalURL": "http://10.250.10.246:8080/v2.0", "id": "7495945e77f24a5aa43188271a9564d2", "publicURL": "http://10.250.10.246:8080/v2.0"}], "endpoints_links": [], "type": "monitor", "name": "monasca"}], "user": {"username": "ceilometer", "roles_links": [], "id": "803e3d3243444cf8aeb9f4d7a4ac4e00", "roles": [{"name": "admin"}], "name": "ceilometer"}, "metadata": {"is_admin": 0, "roles": ["eb75c15b2bc44914bccfedd273341950"]}}}
 http_log_resp /usr/local/lib/python2.7/dist-packages/neutronclient/common/utils.py:139
2015-03-21 08:47:19.002 28555 DEBUG neutronclient.client [-]
REQ: curl -i http://10.250.10.246:9696//v2.0/lb/members.json -X GET -H "User-Agent: python-neutronclient" -H "X-Auth-Token: 2e0f30b2b21e4882bdd76728db0c119e"

The above info include sensitive information, admin token, and the token wasn't safe coded with hash method. this is easy to be exposed to end user.

Liusheng (liusheng)
Changed in ceilometer:
assignee: nobody → Liusheng (liusheng)
Changed in python-neutronclient:
assignee: nobody → Liusheng (liusheng)
Revision history for this message
gordon chung (chungg) wrote :

is this a dup of tihs : https://bugs.launchpad.net/ceilometer/+bug/1433004

Revision history for this message
Liusheng (liusheng) wrote :

Hi gordon, this is not duplicated with bug/1433004, the bug has report the Ceilometer-agent-notification recording token which from notifications in log file, this bug reported the ceilometer-polling recording the auth information when polling network.* pollsters with invoking neutronclient.

Revision history for this message
ZhiQiang Fan (aji-zqfan) wrote :

Yes, the problem exists

Nova will print auth token also if it enables debug, I think the problem affects ceilometer but should be fixed in neutronclient, via encode token (sha)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-neutronclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/168834

Changed in python-neutronclient:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on python-neutronclient (master)

Change abandoned by Kyle Mestery (<email address hidden>) on branch: master
Review: https://review.openstack.org/168834
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
yong sheng gong (gongysh) wrote :

I have no your patched applied, but you can see the token is already sha1ed.
[gongysh@fedora22 devstack]$ neutron net-list -v
DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://172.17.42.1:5000/v2.0 -H "Accept: application/json" -H "User-Agent: python-keystoneclient"
DEBUG: keystoneclient.session RESP: [200] Content-Length: 337 Vary: X-Auth-Token Connection: keep-alive Date: Fri, 21 Aug 2015 06:59:55 GMT Content-Type: application/json X-Openstack-Request-Id: req-996ed801-0013-443c-81b6-cf8c1230e6f7
RESP BODY: {"version": {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://172.17.42.1:5000/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}}

DEBUG: stevedore.extension found extension EntryPoint.parse('yaml = clifftablib.formatters:YamlFormatter')
DEBUG: stevedore.extension found extension EntryPoint.parse('json = clifftablib.formatters:JsonFormatter')
DEBUG: stevedore.extension found extension EntryPoint.parse('html = clifftablib.formatters:HtmlFormatter')
DEBUG: stevedore.extension found extension EntryPoint.parse('table = cliff.formatters.table:TableFormatter')
DEBUG: stevedore.extension found extension EntryPoint.parse('csv = cliff.formatters.commaseparated:CSVLister')
DEBUG: stevedore.extension found extension EntryPoint.parse('value = cliff.formatters.value:ValueFormatter')
DEBUG: neutronclient.neutron.v2_0.network.ListNetwork get_data(Namespace(columns=[], fields=[], formatter='table', max_width=0, page_size=None, quote_mode='nonnumeric', request_format='json', show_details=False, sort_dir=[], sort_key=[]))
DEBUG: keystoneclient.auth.identity.v2 Making authentication request to http://172.17.42.1:5000/v2.0/tokens
DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://172.17.42.1:9696/v2.0/networks.json -H "User-Agent: python-neutronclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}47dbaceba93c53b30092a9af89c7818c54ae78c3"

OpenStack Infra (hudson-openstack)
Changed in python-neutronclient:
assignee: Liusheng (liusheng) → Dong Liu (liudong78)
assignee: Dong Liu (liudong78) → Liusheng (liusheng)
Revision history for this message
Liusheng (liusheng) wrote :

gongys, sorry for replying late. the CLI of neutron client will mask the token, but if other projects use neutronclient, the token will be exposed in log.

gordon chung (chungg)
Changed in ceilometer:
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by liusheng (<email address hidden>) on branch: master
Review: https://review.openstack.org/168834

Revision history for this message
gordon chung (chungg) wrote :

seems like neutronclient bug

Changed in ceilometer:
status: Triaged → Invalid
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

This bug is > 180 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in python-neutronclient:
assignee: Liusheng (liusheng) → nobody
status: In Progress → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for python-neutronclient because there has been no activity for 60 days.]

Changed in python-neutronclient:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.