[astute] Astute should not log deployment data

Bug #1588452 reported by Dmitry Ukov on 2016-06-02
22
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
High
Vladimir Sharshov

Bug Description

Astute log deployment data event even if log level set to info.
This may be a security issue and we should log this only in debug mode.

https://github.com/openstack/fuel-astute/blob/master/lib/astute/server/dispatcher.rb#L109

https://github.com/openstack/fuel-astute/blob/master/lib/astute/server/dispatcher.rb#L87

https://github.com/openstack/fuel-astute/blob/master/lib/astute/server/dispatcher.rb#L66

https://github.com/openstack/fuel-astute/blob/master/lib/astute/server/dispatcher.rb#L46

Update:

Rabbit anc cobbler credentials on master node are also exposed

2016-06-03 05:15:05 INFO [19980] Starting with settings
....
:broker_username: naily
:broker_password: 1ISnmaZdSwdsQpQJ7DHV5aFK
:broker_service_exchange: naily_service
:broker_queue: naily
:broker_publisher_queue: nailgun
:broker_exchange: nailgun

2016-06-03 05:31:36 INFO [20002] Run hook ---
type: cobbler_sync
uids:
- master
parameters:
  provisioning_info:
    engine:
      url: http://10.0.203.2:80/cobbler_api
      username: cobbler
      password: 3z8TaPOVkknB2Z7AG8ib9MYK
      master_ip: 10.0.203.2

2016-06-03 15:10:16 INFO [5007] Trying to instantiate cobbler engine:
{"url"=>"http://10.0.5.2:80/cobbler_api",
 "username"=>"cobbler",
 "password"=>"ccJe64oOihW9nqufB6uMD21o",
 "master_ip"=>"10.0.5.2"}

Ilya Kutukov (ikutukov) on 2016-06-03
Changed in fuel:
milestone: none → 10.0
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Vladimir Sharshov (vsharshov)
tags: added: area-python
tags: added: feature-security

(This check performed automatically)
Please, make sure that bug description contains the following sections filled in with the appropriate data related to the bug you are describing:

actual result

version

expected result

steps to reproduce

For more detailed information on the contents of each of the listed sections see https://wiki.openstack.org/wiki/Fuel/How_to_contribute#Here_is_how_you_file_a_bug

tags: added: need-info
Dmitry Ukov (dukov) on 2016-06-03
description: updated
Dmitry Ukov (dukov) on 2016-06-03
description: updated

Fix proposed to branch: master
Review: https://review.openstack.org/326663

Changed in fuel:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/326663
Committed: https://git.openstack.org/cgit/openstack/fuel-astute/commit/?id=4c93ff6905cf12a83b81767315f357bbfdb53ab5
Submitter: Jenkins
Branch: master

commit 4c93ff6905cf12a83b81767315f357bbfdb53ab5
Author: Vladimir Sharshov (warpc) <email address hidden>
Date: Tue Jun 7 20:03:30 2016 +0300

    Log sensitive data using debug log level

    For production installation deployer should change
    Astute log level from debug to info to hide sensitive
    data: logins, passwords, tokens, ssh keys and so on.

    DocImpact

    Change-Id: I6c447e649b5b9eb589bdaa35d5f80e1fbfaa02dc
    Closes-Bug: #1588452
    Related-Bug: #1410207

Changed in fuel:
status: In Progress → Fix Committed
Dmitry Belyaninov (dbelyaninov) wrote :

Verified on Newton #1556 iso.

astute.log-20170405-1491391801-2017-04-05 11:00:58 DEBUG [16891] Process message from worker queue:
...
astute.log-20170405-1491391801- "username"=>"cobbler",
astute.log-20170405-1491391801- "password"=>"2ACysQXN9tfhqZFCVhYiTpEb",
astute.log-20170405-1491391801- "master_ip"=>"10.109.0.2"},

astute.log-20170405-1491391801:2017-03-28 14:00:27 DEBUG [16885] Starting with settings
...
astute.log-20170405-1491391801-:broker_username: naily
astute.log-20170405-1491391801-:broker_password: xQDn9fv7O74R66Mp0v78eGsY

astute.log-20170405-1491391801:2017-04-05 11:07:38 DEBUG [16891] Trying to instantiate cobbler engine:
astute.log-20170405-1491391801-{"url"=>"http://10.109.0.2:80/cobbler_api",
astute.log-20170405-1491391801- "username"=>"cobbler",
astute.log-20170405-1491391801- "password"=>"2ACysQXN9tfhqZFCVhYiTpEb",
astute.log-20170405-1491391801- "master_ip"=>"10.109.0.2"}
astute.log-20170405-1491391801-
astute.log-20170405-1491391801-2017-04-05 11:07:38 DEBUG [16891] Cobbler options:
astute.log-20170405-1491391801-{"url"=>"http://10.109.0.2:80/cobbler_api",
astute.log-20170405-1491391801- "username"=>"cobbler",
astute.log-20170405-1491391801- "password"=>"2ACysQXN9tfhqZFCVhYiTpEb",
astute.log-20170405-1491391801- "master_ip"=>"10.109.0.2"}

Changed in fuel:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers