Fuel for OpenStack

[astute] Astute should not log deployment data

Bug #1588452 reported by Dmitry Ukov on 2016-06-02

This bug affects 5 people

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Fix Released	High	Vladimir Sharshov	Fuel for OpenStack 10.0

Bug Description

Astute log deployment data event even if log level set to info.
This may be a security issue and we should log this only in debug mode.

https://github.com/openstack/fuel-astute/blob/master/lib/astute/server/dispatcher.rb#L109

https://github.com/openstack/fuel-astute/blob/master/lib/astute/server/dispatcher.rb#L87

https://github.com/openstack/fuel-astute/blob/master/lib/astute/server/dispatcher.rb#L66

https://github.com/openstack/fuel-astute/blob/master/lib/astute/server/dispatcher.rb#L46

Update:

Rabbit anc cobbler credentials on master node are also exposed

2016-06-03 05:15:05 INFO [19980] Starting with settings
....
:broker_username: naily
:broker_password: 1ISnmaZdSwdsQpQJ7DHV5aFK
:broker_service_exchange: naily_service
:broker_queue: naily
:broker_publisher_queue: nailgun
:broker_exchange: nailgun

2016-06-03 05:31:36 INFO [20002] Run hook ---
type: cobbler_sync
uids:
- master
parameters:
  provisioning_info:
    engine:
      url: http://10.0.203.2:80/cobbler_api
      username: cobbler
      password: 3z8TaPOVkknB2Z7AG8ib9MYK
      master_ip: 10.0.203.2

2016-06-03 15:10:16 INFO [5007] Trying to instantiate cobbler engine:
{"url"=>"http://10.0.5.2:80/cobbler_api",
"username"=>"cobbler",
"password"=>"ccJe64oOihW9nqufB6uMD21o",
"master_ip"=>"10.0.5.2"}

See original description

Tags:

Ilya Kutukov (ikutukov) on 2016-06-03

Changed in fuel:
milestone:	none → 10.0
status:	New → Confirmed
importance:	Undecided → High
assignee:	nobody → Vladimir Sharshov (vsharshov)
tags:	added: area-python
tags:	added: feature-security

Revision history for this message

Bug Checker Bot (bug-checker) wrote on 2016-06-03: Autochecker

(This check performed automatically)
Please, make sure that bug description contains the following sections filled in with the appropriate data related to the bug you are describing:

actual result

version

expected result

steps to reproduce

For more detailed information on the contents of each of the listed sections see https://wiki.openstack.org/wiki/Fuel/How_to_contribute#Here_is_how_you_file_a_bug

tags:

added: need-info

Dmitry Ukov (dukov) on 2016-06-03

description:

updated

Dmitry Ukov (dukov) on 2016-06-03

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-07: Fix proposed to fuel-astute (master)

Fix proposed to branch: master
Review: https://review.openstack.org/326663

Changed in fuel:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-04: Fix merged to fuel-astute (master)

Reviewed: https://review.openstack.org/326663
Committed: https://git.openstack.org/cgit/openstack/fuel-astute/commit/?id=4c93ff6905cf12a83b81767315f357bbfdb53ab5
Submitter: Jenkins
Branch: master

commit 4c93ff6905cf12a83b81767315f357bbfdb53ab5
Author: Vladimir Sharshov (warpc) <email address hidden>
Date: Tue Jun 7 20:03:30 2016 +0300

Log sensitive data using debug log level

    For production installation deployer should change
    Astute log level from debug to info to hide sensitive
    data: logins, passwords, tokens, ssh keys and so on.

DocImpact

    Change-Id: I6c447e649b5b9eb589bdaa35d5f80e1fbfaa02dc
    Closes-Bug: #1588452
    Related-Bug: #1410207

Changed in fuel:
status:	In Progress → Fix Committed

Revision history for this message

Dmitry Belyaninov (dbelyaninov) wrote on 2017-04-06:

Verified on Newton #1556 iso.

astute.log-20170405-1491391801-2017-04-05 11:00:58 DEBUG [16891] Process message from worker queue:
...
astute.log-20170405-1491391801- "username"=>"cobbler",
astute.log-20170405-1491391801- "password"=>"2ACysQXN9tfhqZFCVhYiTpEb",
astute.log-20170405-1491391801- "master_ip"=>"10.109.0.2"},

astute.log-20170405-1491391801:2017-03-28 14:00:27 DEBUG [16885] Starting with settings
...
astute.log-20170405-1491391801-:broker_username: naily
astute.log-20170405-1491391801-:broker_password: xQDn9fv7O74R66Mp0v78eGsY

astute.log-20170405-1491391801:2017-04-05 11:07:38 DEBUG [16891] Trying to instantiate cobbler engine:
astute.log-20170405-1491391801-{"url"=>"http://10.109.0.2:80/cobbler_api",
astute.log-20170405-1491391801- "username"=>"cobbler",
astute.log-20170405-1491391801- "password"=>"2ACysQXN9tfhqZFCVhYiTpEb",
astute.log-20170405-1491391801- "master_ip"=>"10.109.0.2"}
astute.log-20170405-1491391801-
astute.log-20170405-1491391801-2017-04-05 11:07:38 DEBUG [16891] Cobbler options:
astute.log-20170405-1491391801-{"url"=>"http://10.109.0.2:80/cobbler_api",
astute.log-20170405-1491391801- "username"=>"cobbler",
astute.log-20170405-1491391801- "password"=>"2ACysQXN9tfhqZFCVhYiTpEb",
astute.log-20170405-1491391801- "master_ip"=>"10.109.0.2"}

Changed in fuel:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.