OpenStack Identity (keystone)

Stop using debug for insecure responses

Bug #1479523 reported by Brant Knudson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Wishlist
Brant Knudson

Bug Description

If you set debug=true in keystone.conf the server 1) logs at debug level, and 2) sends out insecure responses. Deployers might think that debug=true only does 1, not knowing about 2 since it's not documented in the sample config. The behaviors should be decoupled to improve security a bit.

Tags: security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/207226

Changed in keystone:
status: New → In Progress
Revision history for this message
Dolph Mathews (dolph) wrote :

Setting this to Wishlist because it should be included in release notes.

Changed in keystone:
importance: Undecided → Wishlist
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/207226
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2afad4dc30cd1e210f2353ce987fe1bbdd8b93d7
Submitter: Jenkins
Branch: master

commit 2afad4dc30cd1e210f2353ce987fe1bbdd8b93d7
Author: Brant Knudson <email address hidden>
Date: Wed Jul 29 16:29:42 2015 -0500

    Config option for insecure responses

    oslo.log's "debug" option was co-opted to also indicate that the
    responses should include more information. A separate config
    option should be used instead so that deployers don't mistakenly
    expose themselves to security issues.

    The debug option still is used for what it does in oslo.log and
    how it works on all other projects -- if you're not using a log
    config file it sets the base logger to debug.

    SecurityImpact

    Change-Id: Icf8dd2f0b88abc89092d487bbcefb525960c4ec6
    Closes-Bug: 1479523

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/keystone 9.0.0.0b2

This issue was fixed in the openstack/keystone 9.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.