Glance

Glance logs password hashes in swift URLs

  1. Series icehouse
  2. Bug #1348838
Bug #1348838 reported by Joel Friedly
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Fix Released
Undecided
Nikhil Komawar
Glance 2014.2 "juno"
Icehouse
New
Undecided
Unassigned

Bug Description

Example:

2014-07-25 20:03:36.346 780 DEBUG glance.registry.api.v1.images [1c66afef-0bc9-4413-b63a-c81585c2a981 2eae458f42e64420af5e3a2cab07e03a 9bc19f6aabc944c382bf553cb8131b17 - - -] Updating image dfd7e14c-eb02-487e-8112-d1881ae031d9 with metadata: {u'status': u'active', 'locations': [u'swift+http://service%3Aimage:GyQLQqJbh3jzBfRvAs8nw8WDQ3xUtO7nw49t33R96WddHww0zJ2CSU7AtgFtf76J@proxy:8770/v2.0/glance-images/dfd7e14c-eb02-487e-8112-d1881ae031d9']} update /usr/lib/python2.7/dist-packages/glance/registry/api/v1/images.py:445

We've found that the following regex will catch all of the password hashes:

r"(swift|swift\+http|swift\+https)://(.*?:)?.*?@"

Since it's a debug-level log message, we can avoid leaking sensitive data by turning off debug logging, but we often find ourselves needing the debug logs to diagnose issues. We'd like to fix this problem at the source by sanitizing our the password hashes.

Revision history for this message
Hemanth Makkapati (hemanth-makkapati) wrote :

Related to https://bugs.launchpad.net/glance/+bug/1275062?

Revision history for this message
Nikhil Komawar (nikhil-komawar) wrote :

Thanks Hemanth!

My understanding is that this is a result of the changes made to the image location status and usage of the image dictionary in different places in the Glance code. There should be a small and quick fix for this.

https://review.openstack.org/#/c/67115/

Nikhil Komawar (nikhil-komawar)
Changed in glance:
status: New → Confirmed
Hemanth Makkapati (hemanth-makkapati)
Changed in glance:
assignee: nobody → Hemanth Makkapati (hemanth-makkapati)
Revision history for this message
Nikhil Komawar (nikhil-komawar) wrote :

this bug https://bugs.launchpad.net/glance/+bug/1348838 seems to be due to a typo https://github.com/openstack/glance/blob/master/glance/registry/api/v1/images.py#L419

sub 'location' with 'locations' on that line

Revision history for this message
Zhi Yan Liu (lzy-dev) wrote :

@nikhil, I think that code logic you mentioned is correct, in v1 glance-api may gives a single image location by 'location' key. And, btw, change location-status (change #67115) didn't touch this logic.

Hemanth Makkapati (hemanth-makkapati)
Changed in glance:
assignee: Hemanth Makkapati (hemanth-makkapati) → nobody
Nikhil Komawar (nikhil-komawar)
Changed in glance:
assignee: nobody → nikhil komawar (nikhil-komawar)
Revision history for this message
Nikhil Komawar (nikhil-komawar) wrote :

I correct myself, Zhi is right about the logic not being changed in MP #67115.

Fix coming up soon.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/110729

Changed in glance:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (master)

Reviewed: https://review.openstack.org/110729
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=28fdfdbaca81adcc94d5e6d57c55f7c985d6c512
Submitter: Jenkins
Branch: master

commit 28fdfdbaca81adcc94d5e6d57c55f7c985d6c512
Author: Nikhil Komawar <email address hidden>
Date: Wed Jul 30 13:34:32 2014 -0400

    Do not log password in swift URLs in g-registry

    There was a debug level log with the locations added to it.
    This change fixes the log to not contain that sensitive info.

    Fixes bug 1348838

    Change-Id: I3c5b29616c8d76bed17dbd31a8f4fc7ccd2dd945

Changed in glance:
status: In Progress → Fix Committed
Vish Ishaya (vishvananda)
tags: added: icehouse-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/112442

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/112443

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on glance (stable/icehouse)

Change abandoned by nikhil komawar (<email address hidden>) on branch: stable/icehouse
Review: https://review.openstack.org/112442

Thierry Carrez (ttx)
Changed in glance:
milestone: none → juno-3
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Ihar Hrachyshka (<email address hidden>) on branch: stable/icehouse
Review: https://review.openstack.org/112443
Reason: Incorrect Change-Id.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (stable/icehouse)

Reviewed: https://review.openstack.org/112442
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=81ea399c7ac3ebfa70d607a3f374fac4e9819a8d
Submitter: Jenkins
Branch: stable/icehouse

commit 81ea399c7ac3ebfa70d607a3f374fac4e9819a8d
Author: Nikhil Komawar <email address hidden>
Date: Wed Jul 30 13:34:32 2014 -0400

    Do not log password in swift URLs in g-registry

    There was a debug level log with the locations added to it.
    This change fixes the log to not contain that sensitive info.

    Fixes bug 1348838

    Conflicts:
     glance/registry/api/v1/images.py

    Needed changes for Icehouse:
    - use fixture.iteritems() instead of six.iteritems(fixture) in unit
      tests.

    Change-Id: I3c5b29616c8d76bed17dbd31a8f4fc7ccd2dd945
    (cherry picked from commit 28fdfdbaca81adcc94d5e6d57c55f7c985d6c512)

tags: added: in-stable-icehouse
Thierry Carrez (ttx)
Changed in glance:
milestone: juno-3 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.