Designate

pool-manager configuration options will leak db passwd

Bug #1454175 reported by stanzgy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Designate
Fix Released
Critical
stanzgy
Designate 1.0.0 "liberty"

Bug Description

when using powerdns with mysql as pool target, [pool_target:%id].options will contains db access information and this will be directly writed to logs without sanitization.

e.g.:
2015-05-12 15:14:53.044 27671 DEBUG designate.openstack.common.service [req-468ce0c2-84f5-47b2-ba85-d6a091651b6d - - - - -] pool_target:170dd95c-e282-11e4-b67e-56a46e28b239.options = {'connection': 'mysql://***:***@***:3306/***charset=utf8'} log_opt_values /usr/lib/python2.7/dist-packages/oslo_config/cfg.py:2195

IMO for security considerations, we should set this configuration option as secret.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to designate (master)

Fix proposed to branch: master
Review: https://review.openstack.org/182214

Changed in designate:
assignee: nobody → stanzgy (stanzgy)
status: New → In Progress
Graham Hayes (grahamhayes)
Changed in designate:
importance: Undecided → Critical
milestone: none → liberty-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to designate (master)

Reviewed: https://review.openstack.org/182214
Committed: https://git.openstack.org/cgit/openstack/designate/commit/?id=3305c7745516e4161f722bf3744c1175aaea7fa9
Submitter: Jenkins
Branch: master

commit 3305c7745516e4161f722bf3744c1175aaea7fa9
Author: stanzgy <email address hidden>
Date: Tue May 12 17:46:19 2015 +0800

    Set cfg.pool_target.options as secret

    Change-Id: Ia6dfa4940568665aa1298a71845fe6b0a4c12e7d
    Closes-Bug: 1454175

Changed in designate:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in designate:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in designate:
milestone: liberty-1 → 1.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.