Ceilometer

ceilometer.network.notifications prints message which contains auth token in log.info

Bug #1433004 reported by ZhiQiang Fan on 2015-03-17

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Ceilometer	Fix Released	Critical	ZhiQiang Fan	Ceilometer 2015.1.0 "kilo"
Icehouse	Won't Fix	Undecided	Unassigned
Juno	Fix Released	Undecided	gordon chung	Ceilometer 2014.2.4

Bug Description

https://github.com/openstack/ceilometer/blob/3f9e48155a6dd474a7843dc9aaaef378c7f4ca53/ceilometer/network/notifications.py#L75

def process_notification(self, message):
LOG.info(_('network notification %r') % message)

the message contains _context_auth_token, then the LOG will print info level with auth token info which used by end users, this is not very secure

ZhiQiang Fan (aji-zqfan) on 2015-03-17

Changed in ceilometer:
assignee:	nobody → ZhiQiang Fan (aji-zqfan)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-17: Fix proposed to ceilometer (master)

Fix proposed to branch: master
Review: https://review.openstack.org/164997

Changed in ceilometer:
status:	New → In Progress

gordon chung (chungg) on 2015-03-17

Changed in ceilometer:
importance:	Undecided → Critical

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-18: Fix merged to ceilometer (master)

Reviewed: https://review.openstack.org/164997
Committed: https://git.openstack.org/cgit/openstack/ceilometer/commit/?id=fd2a66f9a3a2d6612a05a3df258c3ce46bb154f2
Submitter: Jenkins
Branch: master

commit fd2a66f9a3a2d6612a05a3df258c3ce46bb154f2
Author: ZhiQiang Fan <email address hidden>
Date: Tue Mar 17 17:29:11 2015 +0800

remove log message when process notification

message may contain some sensitive information, for example, auth
token. This patch removes log entire message in network.notications

Change-Id: I7e5f37668ab2a8bcf191ad886ac54352727272f7
Closes-Bug: #1433004

Changed in ceilometer:
status:	In Progress → Fix Committed

Eoghan Glynn (eglynn) on 2015-03-18

Changed in ceilometer:
milestone:	none → kilo-3

Thierry Carrez (ttx) on 2015-03-19

Changed in ceilometer:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in ceilometer:
milestone:	kilo-3 → 2015.1.0

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-30: Fix proposed to ceilometer (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/229494

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-01: Fix merged to ceilometer (stable/juno)

Reviewed: https://review.openstack.org/229494
Committed: https://git.openstack.org/cgit/openstack/ceilometer/commit/?id=8204521e99b7407ac3fb1ba4a08dce85a53bc8b1
Submitter: Jenkins
Branch: stable/juno

commit 8204521e99b7407ac3fb1ba4a08dce85a53bc8b1
Author: ZhiQiang Fan <email address hidden>
Date: Tue Mar 17 17:29:11 2015 +0800

remove log message when process notification

message may contain some sensitive information, for example, auth
token. This patch removes log entire message in network.notications

    Change-Id: I7e5f37668ab2a8bcf191ad886ac54352727272f7
    Closes-Bug: #1433004
    (cherry picked from commit fd2a66f9a3a2d6612a05a3df258c3ce46bb154f2)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.