auth_encryption_key option should be secret

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

The attached patch simply adds the secret keyword to the config option so it is not logged.

I already had put a patch out there (although, I jumped the gun).

https://review.openstack.org/#/c/175600/

Fix looks good to me, although I see Eric's patch has now merged anyway.

Now that there's a change proposed in public referring to this bug and breaking the embargo, I'm switching the bug to public security.

What branches does this impact? If it's actually an exploitable vulnerability we're going to want backports proposed to all supported stable branches before we can issue a security advisory.

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/175937

> What branches does this impact?

This probably affects all stable branches, as auth_encryption_key exists in all of them - it's not quite clear to me if the logging of every config option occurs with the pinned version of oslo.config on all the stable branches though.

To clarify the exploitable aspect, I'd classify this as pretty low risk, as it requires all of the following:

- Heat has debug logging enabled
- Attacker can access the heat engine logs
- Attacker has direct access to the DB used by heat

If they have all of this, they're probably an operator, in which case they have access to the heat.conf anyway.

Worth fixing nonetheless, so proposing fixes to the stable branches is a good idea.

If it only leaks in DEBUG log, then this does not warrant an OSSA.

It looks to me like it's only output in the DEBUG logs from oslo.config itself - which is kind of what you'd expect.

Reviewed: https://review.openstack.org/175937
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=1f977aa5fa28ed1e351f337191291198384abe02
Submitter: Jenkins
Branch: stable/kilo

commit 1f977aa5fa28ed1e351f337191291198384abe02
Author: Eric Brown <email address hidden>
Date: Mon Apr 20 15:44:37 2015 -0700

    Set auth_encryption_key option to be secret

    To avoid exposure in the logs, auth_encryption_key from heat.conf
    should be marked secret.

    Change-Id: Ia4aca067f03317dd8073988cd29d26c2ccc88778
    Closes-Bug: #1446408
    (cherry picked from commit 369789f69c34a6cbc4e4169f23c5cd5a958ef008)

Since we're not presently considering sensitive information in debug-level logging sufficient exposure to warrant a security advisory, I'm setting the OSSA task to invalid on this report.

Fix proposed to branch: master
Review: https://review.openstack.org/179291

Reviewed: https://review.openstack.org/179291
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=5d725ecd09a35e3d5fb042956c4ecebb309c0a41
Submitter: Jenkins
Branch: master

commit b5c32027e5f207cca51796ee2aba346413ad48da
Author: Steven Hardy <email address hidden>
Date: Thu Apr 23 14:14:26 2015 +1000

    Fix ResourceGroup validate when there are removal_policies

    We can't call child_template() from a validate in ResourceGroup
    as it accesses nested(). So move the validation to validate_nested_stack()
    so we can control the test template used for validation.

    Unfortunately coverage for this got removed during recent test rework
    and it looks like the interface has got broken.

    Co-Authored-by: Angus Salkeld <email address hidden>
    Change-Id: Ibea738a343847736b041cc49a2c486fa71e562d9
    Closes-Bug: #1446861

commit c958ecb5b4b4fc5a0236b70c21d7d62864cd162b
Author: Ethan Lynn <email address hidden>
Date: Wed Apr 22 13:46:11 2015 +0800

    Fix unicodeerror when heat-engine start

    If change local language to other languages(like ja), heat-engine
    will failed to start.

    Closes-Bug: #1446958
    Change-Id: Ia3cbcebb86257bc1c52ea758c1583191e5a52a2d
    (cherry picked from commit 0b3dd7be3d3cd9842616a16843d03e6c13cdcb08)

commit 94c4ae56e0fece995659d718ed1ab6e56b2deb9f
Author: Ethan Lynn <email address hidden>
Date: Tue Apr 21 17:09:42 2015 +0800

    Add v6-fixed-ip support for nova server

    Now nova server fixed-ip only support ipv4 address,
    this patch add IPv6 fixed ip support for nova server.

    Closes-Bug: #1446532
    Change-Id: I647abeedd36352f053a043d00ab87a84ee2470f3
    (cherry picked from commit 3e1a6f3b826bbc2a638ed7ea239221d13678024c)

commit d07f91615a159663261091e672ce62f90e6ad607
Author: Angus Salkeld <email address hidden>
Date: Tue Apr 7 09:25:50 2015 +1000

    Persist parent_resource_name and make sure it's available

    We are persisting for a number of reasons:
    - so we don't have to pass this through ever rpc call
    - the API exposes parent_resource (currently always None as
      it is not persisted)

    Closes-bug: #1438978
    Change-Id: Id2db36c0234a085ec4f0ce2ab114ec483ea29d81
    (cherry picked from commit edf86aeac2f7b68243b0eccc3c49fa1a579e664b)

commit f944c86d4c26877f4d8dab56790815af8e83ba45
Author: Michal Rostecki <email address hidden>
Date: Wed Mar 25 06:47:33 2015 +0100

    Novaclient v2 instead of v1_1

    Nova API v1.1 is now deprecated and causes warnings.

    Change-Id: Ib4b57a308b7637f4015a07b4e888ccd6347cb947
    Closes-Bug: #1437158
    (cherry picked from commit d9d68cf52bd7027e7d1cafd023a399c2a342b2c5)

commit 370f3c98c5eccf8bce1be425acc31af5e7224171
Author: Zane Bitter <email address hidden>
Date: Thu Apr 16 17:20:05 2015 -0400

    Don't re-bind environment for get_file during stack update

    While we're in the process of updating a stack, we set the stack's
    environment to the new, updated values. However, we don't want to change
    existing resources' idea of their own values until we have explivitly done
    an update of them to bring them into line with th...