OpenStack Dashboard (Horizon)

Password logging

Reported by Gabriel Hurley on 2012-05-24
48
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Keystone
High
Dolph Mathews
OpenStack Dashboard (Horizon)
High
Gabriel Hurley
python-keystoneclient
Medium
Wei Wang

Bug Description

When the log level is set to DEBUG, keystoneclient's full-request logging mechanism kicks in, exposing plaintext passwords, etc.

This bug is mostly out of the scope of Horizon, however Horizon can also be more secure in this regard. We should make sure that wherever we *are* handling sensitive data we use Django's error report filtering mechanisms so they don't appear in tracebacks, etc. (https://docs.djangoproject.com/en/dev/howto/error-reporting/#filtering-error-reports)

Keystone may also want to look at respecting such annotations in their logging mechanism, i.e. if Django were properly annotating these data objects, keystoneclient could check for those annotations and properly sanitize the log output.

If not this exact mechanism, then something similar would be wise.

For the time being, it's also worth documenting in both projects that a log level of DEBUG will log passwords in plain text.

description: updated
Joseph Heck (heckj) on 2012-05-24
Changed in keystone:
status: New → Confirmed
importance: Undecided → High

Fix proposed to branch: master
Review: https://review.openstack.org/7773

Changed in horizon:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/7773
Committed: http://github.com/openstack/horizon/commit/f986a631a25c8fa547d07d2fae4bd2b4ac1c2b9a
Submitter: Jenkins
Branch: master

commit f986a631a25c8fa547d07d2fae4bd2b4ac1c2b9a
Author: Gabriel Hurley <email address hidden>
Date: Thu May 24 15:25:35 2012 -0700

    Make sure Horizon is treating passwords securely.

    * Applies the sensitive_post_parameters and sensitive_variables
      decorators to functions that handle sensitive data.
    * Defines a custom Exception Filter class to provide some added
      security.
    * Adds notes on logging to the docs.

    Fixes bug 1004114 for Horizon.

    Change-Id: I13ac91d91e0ed2322cc61633b02455cfed39fdcd

Changed in horizon:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-07-04
Changed in horizon:
status: Fix Committed → Fix Released

Fix proposed to branch: master
Review: https://review.openstack.org/9935

Changed in keystone:
assignee: nobody → Dolph Mathews (dolph)
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/9935
Committed: http://github.com/openstack/keystone/commit/0abf6ba254638471a367cfccef65a1b9e0a70ef2
Submitter: Jenkins
Branch: master

commit 0abf6ba254638471a367cfccef65a1b9e0a70ef2
Author: Dolph Mathews <email address hidden>
Date: Tue Jul 17 16:23:49 2012 -0500

    Debug output may include passwords (bug 1004114)

    Change-Id: If0a7704ff578162d6b7fa8b68c0e0ed37e72cb73

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-08-16
Changed in keystone:
milestone: none → folsom-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-09-27
Changed in horizon:
milestone: folsom-2 → 2012.2
Thierry Carrez (ttx) on 2012-09-27
Changed in keystone:
milestone: folsom-3 → 2012.2
Dolph Mathews (dolph) on 2013-05-29
Changed in python-keystoneclient:
status: New → Triaged
importance: Undecided → Medium
Thierry Carrez (ttx) on 2013-05-30
tags: added: security
Numero 8 (numero-8) on 2013-06-09
Changed in python-keystoneclient:
assignee: nobody → Numero 8 (numero-8)
Numero 8 (numero-8) wrote :

I'm working on it...
Review in progress.

Numero 8 (numero-8) wrote :

Still working on it. See https://review.openstack.org/#/c/32343 .

Fix proposed to branch: master
Review: https://review.openstack.org/33532

Changed in python-keystoneclient:
status: Triaged → In Progress
Numero 8 (numero-8) wrote :

Waiting for a feedback following last code review. See https://review.openstack.org/#/c/33532/

Numero 8 (numero-8) wrote :

Could any one propose a review of patch set #3 for this bug?

See here: https://review.openstack.org/#/c/33532/

Thank you.

Matthew Thode (prometheanfire) wrote :

anyone able to review this patchset? https://review.openstack.org/#/c/33532/

Changed in python-keystoneclient:
assignee: Numero 8 (numero-8) → Adam Young (ayoung)
Changed in python-keystoneclient:
assignee: Adam Young (ayoung) → Numero 8 (numero-8)

Fix proposed to branch: master
Review: https://review.openstack.org/42467

Numero 8 (numero-8) on 2013-10-10
Changed in python-keystoneclient:
assignee: Numero 8 (numero-8) → nobody
Changed in python-keystoneclient:
assignee: nobody → Sergio Cazzolato (sergio-j-cazzolato)
Changed in python-keystoneclient:
assignee: Sergio Cazzolato (sergio-j-cazzolato) → nobody
Wei Wang (damon-devops) wrote :

Numero 8's patch almost resolve this bug, maybe I can continue it.

Changed in python-keystoneclient:
assignee: nobody → Wei Wang (damon-devops)
gordon chung (chungg) wrote :

might make sense to just pull/copy mask_password code from oslo-incubator log.py to mask password... worked for me.

Wei Wang (damon-devops) wrote :

Saeme to @Dolph's commit here:https://review.openstack.org/#/c/42467/2//COMMIT_MSG

the need for patch should be re-considered.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers