Bug #1506690 “[no-OSSN-yet] Python-keystoneclient: session fails...” : Bugs : Mirantis OpenStack

Vitaly Sedelnik (vsedelnik) on 2015-10-16

tags:

added: 70mu1-confirmed

Alexey Khivin (akhivin) on 2015-10-19

tags:

added: keystone

Revision history for this message

Alexander Makarov (amakarov) wrote on 2015-10-20:

#1

Upstream fix merged: https://review.openstack.org/#/c/219004/
Will be in 8.0 after the merge of stable/liberty

Vitaly Sedelnik (vsedelnik) on 2015-11-02

tags:

removed: 70mu1-confirmed

Revision history for this message

Adam Heczko (aheczko-mirantis) wrote on 2015-11-04:

#2

Steps to reproduce:
In python-openstackclient increase log level to debug:

log_level: debug

Observe logs for logged information.

Revision history for this message

Timur Nurlygayanov (tnurlygayanov) wrote on 2015-11-11:

#3

Download full text (5.5 KiB)

Verified on my QA lab with MOS 7.0 MU1.

Steps To Verify:
1. Login to OpenStack controller.
2. Run command 'openstack --debug user list'

Observed Result:
user password are not presented in RESPONSE BODY:

INFO: openstackclient.common.clientmanager Using auth plugin: osc_password
DEBUG: openstackclient.common.clientmanager Get auth_ref
DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://192.168.0.2:5000/v2.0/ -H "Accept: application/json" -H "User-Agent: python-keystoneclient"
INFO: urllib3.connectionpool Starting new HTTP connection (1): 192.168.0.2
DEBUG: urllib3.connectionpool "GET /v2.0/ HTTP/1.1" 200 340
DEBUG: keystoneclient.session RESP: [200] content-length: 340 vary: X-Auth-Token server: Apache connection: close date: Wed, 11 Nov 2015 13:25:29 GMT content-type: application/json x-openstack-request-id: req-0bfca27e-c820-4add-ab70-2772b67e4dfd
RESP BODY: {"version": {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://172.18.161.182:5000/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}}

DEBUG: keystoneclient.auth.identity.v2 Making authentication request to http://172.18.161.182:5000/v2.0/tokens
INFO: urllib3.connectionpool Starting new HTTP connection (1): 172.18.161.182
DEBUG: urllib3.connectionpool "POST /v2.0/tokens HTTP/1.1" 200 4404
DEBUG: openstackclient.identity.v2_0.user.ListUser take_action(Namespace(columns=[], formatter='table', long=False, max_width=0, project=None, quote_mode='nonnumeric'))
DEBUG: openstackclient.identity.client Instantiating identity client: <class 'openstackclient.identity.client.IdentityClientv2'>
DEBUG: keystoneclient.auth.identity.v2 Making authentication request to http://172.18.161.182:5000/v2.0/tokens
INFO: urllib3.connectionpool Resetting dropped connection: 172.18.161.182
DEBUG: urllib3.connectionpool "POST /v2.0/tokens HTTP/1.1" 200 4404
DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://192.168.0.2:35357/ -H "Accept: application/json" -H "User-Agent: python-keystoneclient"
INFO: urllib3.connectionpool Starting new HTTP connection (1): 192.168.0.2
DEBUG: urllib3.connectionpool "GET / HTTP/1.1" 300 593
DEBUG: keystoneclient.session RESP: [300] content-length: 593 vary: X-Auth-Token server: Apache connection: close date: Wed, 11 Nov 2015 13:25:30 GMT content-type: application/json
RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "http://192.168.0.2:35357/v3/", "rel": "self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://192.168.0.2:35357/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}]}}

DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://192.168.0.2:35357/v2.0/users -H "User-Age...

Verified on my QA lab with MOS 7.0 MU1.

Steps To Verify:
1. Login to OpenStack controller.
2. Run command 'openstack --debug user list'

Observed Result:
user password are not presented in RESPONSE BODY:

INFO: openstackclient.common.clientmanager Using auth plugin: osc_password
DEBUG: openstackclient.common.clientmanager Get auth_ref
DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://192.168.0.2:5000/v2.0/ -H "Accept: application/json" -H "User-Agent: python-keystoneclient"
INFO: urllib3.connectionpool Starting new HTTP connection (1): 192.168.0.2
DEBUG: urllib3.connectionpool "GET /v2.0/ HTTP/1.1" 200 340
DEBUG: keystoneclient.session RESP: [200] content-length: 340 vary: X-Auth-Token server: Apache connection: close date: Wed, 11 Nov 2015 13:25:29 GMT content-type: application/json x-openstack-request-id: req-0bfca27e-c820-4add-ab70-2772b67e4dfd 
RESP BODY: {"version": {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://172.18.161.182:5000/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}}

DEBUG: keystoneclient.auth.identity.v2 Making authentication request to http://172.18.161.182:5000/v2.0/tokens
INFO: urllib3.connectionpool Starting new HTTP connection (1): 172.18.161.182
DEBUG: urllib3.connectionpool "POST /v2.0/tokens HTTP/1.1" 200 4404
DEBUG: openstackclient.identity.v2_0.user.ListUser take_action(Namespace(columns=[], formatter='table', long=False, max_width=0, project=None, quote_mode='nonnumeric'))
DEBUG: openstackclient.identity.client Instantiating identity client: <class 'openstackclient.identity.client.IdentityClientv2'>
DEBUG: keystoneclient.auth.identity.v2 Making authentication request to http://172.18.161.182:5000/v2.0/tokens
INFO: urllib3.connectionpool Resetting dropped connection: 172.18.161.182
DEBUG: urllib3.connectionpool "POST /v2.0/tokens HTTP/1.1" 200 4404
DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://192.168.0.2:35357/ -H "Accept: application/json" -H "User-Agent: python-keystoneclient"
INFO: urllib3.connectionpool Starting new HTTP connection (1): 192.168.0.2
DEBUG: urllib3.connectionpool "GET / HTTP/1.1" 300 593
DEBUG: keystoneclient.session RESP: [300] content-length: 593 vary: X-Auth-Token server: Apache connection: close date: Wed, 11 Nov 2015 13:25:30 GMT content-type: application/json 
RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "http://192.168.0.2:35357/v3/", "rel": "self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://192.168.0.2:35357/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}]}}

DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://192.168.0.2:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}da16c6f42f38c6439964a84e26025428b7059d47"
INFO: urllib3.connectionpool Resetting dropped connection: 192.168.0.2
DEBUG: urllib3.connectionpool "GET /v2.0/users HTTP/1.1" 200 1161
DEBUG: keystoneclient.session RESP: [200] content-length: 1161 vary: X-Auth-Token server: Apache connection: close date: Wed, 11 Nov 2015 13:25:30 GMT content-type: application/json x-openstack-request-id: req-a0926e60-05ea-4c7a-a71f-694985fbdfa3 
RESP BODY: {"users": [{"username": "admin", "name": "admin", "enabled": true, "email": "admin@localhost", "id": "0750f721c8e049ebaf75da5dc0d8b8a8"}, {"username": "heat-cfn", "name": "heat-cfn", "enabled": true, "email": "heat-cfn@localhost", "id": "119306c8dfb64ca5ba7961d74b470838"}, {"username": "nova", "name": "nova", "enabled": true, "email": "nova@localhost", "id": "261ba0b6b05e4a7381f12a0c4658d2a0"}, {"username": "heat", "name": "heat", "enabled": true, "email": "heat@localhost", "id": "39807be3ba2f4040ba912b36a618325b"}, {"username": "swift", "name": "swift", "enabled": true, "email": "swift@localhost", "id": "692bf1e5879c46a897b840e220393d0f"}, {"username": "cinder", "name": "cinder", "enabled": true, "email": "cinder@localhost", "id": "9042c9c4328f46f4aa61096abacc82a9"}, {"username": "glance", "name": "glance", "enabled": true, "email": "glance@localhost", "id": "91b41373ef15486b977b8eec8f80b1ad"}, {"username": "neutron", "name": "neutron", "enabled": true, "email": "neutron@localhost", "id": "bf0bf9258c19413e9529f1609082c02c"}, {"username": "fuel_stats_user", "enabled": true, "name": "fuel_stats_user", "id": "d8633277c61e4fc783e37b0d3235b769"}]}

Revision history for this message

Alexander Makarov (amakarov) wrote on 2015-11-13:

#4

Merged from upstream:
https://review.fuel-infra.org/gitweb?p=openstack/python-keystoneclient.git;a=commit;h=1bff68f9b8d8f6bed843d910fb4e1b69b64ded7a

Revision history for this message

Alexander Petrov (apetrov-n) wrote on 2016-02-10:

#5

Verified on MOS 8.0 build 529

VERSION:
  feature_groups:
    - mirantis
  production: "docker"
  release: "8.0"
  api: "1.0"
  build_number: "529"
  build_id: "529"
  fuel-nailgun_sha: "baec8643ca624e52b37873f2dbd511c135d236d9"
  python-fuelclient_sha: "4f234669cfe88a9406f4e438b1e1f74f1ef484a5"
  fuel-agent_sha: "658be72c4b42d3e1436b86ac4567ab914bfb451b"
  fuel-nailgun-agent_sha: "b2bb466fd5bd92da614cdbd819d6999c510ebfb1"
  astute_sha: "b81577a5b7857c4be8748492bae1dec2fa89b446"
  fuel-library_sha: "e2d79330d5d708796330fac67722c21f85569b87"
  fuel-ostf_sha: "3bc76a63a9e7d195ff34eadc29552f4235fa6c52"
  fuel-mirror_sha: "fb45b80d7bee5899d931f926e5c9512e2b442749"
  fuelmenu_sha: "e071216cb214e34b4d861478033425ee6a54a3be"
  shotgun_sha: "63645dea384a37dde5c01d4f8905566978e5d906"
  network-checker_sha: "a43cf96cd9532f10794dce736350bf5bed350e9d"
  fuel-upgrade_sha: "616a7490ec7199f69759e97e42f9b97dfc87e85b"
  fuelmain_sha: "a365f05b903368225da3fea9aa42afc1d50dc9b4"

Revision history for this message

Alexander Petrov (apetrov-n) wrote on 2016-02-11:

#6

I have rechecked the issue and found that the bug has not been fixed.
Tested on MOS 8.0 build 529.

Steps to reproduce:
Steps To Verify:
1. Login to OpenStack controller.
2. Run command 'openstack --debug token issue'

Expected result:
output must contain (some data has been skipped)
password='***'
token='***'
client_secret='***'

Actual resut:
root@node-1:~# openstack --debug token issue
START with options: ['--debug', 'token', 'issue']
options: Namespace(access_token_endpoint='', auth_type='', auth_url='http://192.168.0.2:5000/', cacert='', client_id='', client_secret='', cloud='', debug=True, default_domain='default', deferred_help=False, domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='', log_file=None, os_compute_api_version='', os_data_processing_api_version='1.1', os_identity_api_version='', os_image_api_version='', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_queues_api_version='1.1', os_volume_api_version='', password='admin', project_domain_id='', project_domain_name='', project_id='', project_name='admin', protocol='', region_name='RegionOne', scope='', service_provider_endpoint='', timeout=600, timing=False, token='', trust_id='', url='', user_domain_id='', user_domain_name='', user_id='', username='admin', verbose_level=3, verify=None)

Revision history for this message

Roman Podoliaka (rpodolyaka) wrote on 2016-02-11:

#7

Upstream bug is not marked as a security issue. It was fixed in keystoneclient - looks like openstackclient is still affected.

I suggest we move this to MU1, as this does not sound critical.

tags:	added: area-keystone removed: keystone
tags:	added: move-to-mu

Revision history for this message

Alexander Petrov (apetrov-n) wrote on 2016-03-28:

#8

ENV: MOS 9.0 build 106

The bug is NOT reproduced.

client_secret='***'
token='***'
'password': '***'

root@node-1:~# openstack --debug token issue
START with options: ['--debug', 'token', 'issue']
options: Namespace(access_token_endpoint='', auth_type='', auth_url='http://192.168.0.2:5000/', cacert='', client_id='', client_secret='***', cloud='', debug=True, default_domain='Default', deferred_help=False, domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='', log_file=None, os_clustering_api_version='1', os_compute_api_version='', os_data_processing_api_version='1.1', os_data_processing_url='', os_dns_api_version='2', os_identity_api_version='', os_image_api_version='', os_key_manager_api_version='1', os_network_api_version='', os_object_api_version='', os_orchestration_api_version='1', os_project_id=None, os_project_name=None, os_queues_api_version='1.1', os_volume_api_version='', os_workflow_api_version='2', password='***', profile=None, project_domain_id='', project_domain_name='', project_id='', project_name='admin', protocol='', region_name='RegionOne', scope='', service_provider_endpoint='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='', user_id='', username='admin', verbose_level=3, verify=None)
defaults: {u'auth_type': 'password', u'compute_api_version': u'2', 'key': None, u'database_api_version': u'1.0', 'api_timeout': None, u'baremetal_api_version': u'1', u'image_api_version': u'2', 'cacert': None, u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', u'orchestration_api_version': u'1', u'interface': None, u'network_api_version': u'2', u'image_format': u'qcow2', u'key_manager_api_version': u'v1', u'metering_api_version': u'2', 'verify': True, u'identity_api_version': u'2.0', u'volume_api_version': u'2', 'cert': None, u'secgroup_source': u'neutron', u'container_api_version': u'1', u'dns_api_version': u'2', u'object_store_api_version': u'1', u'disable_vendor_agent': {}}
cloud cfg: {'auth_type': 'password', u'compute_api_version': u'2', u'orchestration_api_version': '1', u'database_api_version': u'1.0', 'data_processing_api_version': '1.1', u'network_api_version': u'2', u'image_format': u'qcow2', u'image_api_version': u'2', 'clustering_api_version': '1', 'verify': True, u'dns_api_version': '2', u'object_store_api_version': u'1', 'verbose_level': 3, 'region_name': 'RegionOne', 'api_timeout': None, u'baremetal_api_version': u'1', 'queues_api_version': '1.1', 'auth': {'username': 'admin', 'project_name': 'admin', 'password': '***', 'auth_url': 'http://192.168.0.2:5000/'}, 'default_domain': 'Default', u'container_api_version': u'1', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'cacert': None, u'key_manager_api_version': '1', u'metering_api_version': u'2', 'deferred_help': False, u'identity_api_version': u'2.0', 'workflow_api_version': '2', u'volume_api_version': u'2', 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': None, u'disable_vendor_agent': {}}

ENV: MOS 9.0 build 106

The bug is NOT reproduced.

client_secret='***'
token='***'
'password': '***'

root@node-1:~# openstack --debug token issue
START with options: ['--debug', 'token', 'issue']
options: Namespace(access_token_endpoint='', auth_type='', auth_url='http://192.168.0.2:5000/', cacert='', client_id='', client_secret='***', cloud='', debug=True, default_domain='Default', deferred_help=False, domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='', log_file=None, os_clustering_api_version='1', os_compute_api_version='', os_data_processing_api_version='1.1', os_data_processing_url='', os_dns_api_version='2', os_identity_api_version='', os_image_api_version='', os_key_manager_api_version='1', os_network_api_version='', os_object_api_version='', os_orchestration_api_version='1', os_project_id=None, os_project_name=None, os_queues_api_version='1.1', os_volume_api_version='', os_workflow_api_version='2', password='***', profile=None, project_domain_id='', project_domain_name='', project_id='', project_name='admin', protocol='', region_name='RegionOne', scope='', service_provider_endpoint='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='', user_id='', username='admin', verbose_level=3, verify=None)
defaults: {u'auth_type': 'password', u'compute_api_version': u'2', 'key': None, u'database_api_version': u'1.0', 'api_timeout': None, u'baremetal_api_version': u'1', u'image_api_version': u'2', 'cacert': None, u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', u'orchestration_api_version': u'1', u'interface': None, u'network_api_version': u'2', u'image_format': u'qcow2', u'key_manager_api_version': u'v1', u'metering_api_version': u'2', 'verify': True, u'identity_api_version': u'2.0', u'volume_api_version': u'2', 'cert': None, u'secgroup_source': u'neutron', u'container_api_version': u'1', u'dns_api_version': u'2', u'object_store_api_version': u'1', u'disable_vendor_agent': {}}
cloud cfg: {'auth_type': 'password', u'compute_api_version': u'2', u'orchestration_api_version': '1', u'database_api_version': u'1.0', 'data_processing_api_version': '1.1', u'network_api_version': u'2', u'image_format': u'qcow2', u'image_api_version': u'2', 'clustering_api_version': '1', 'verify': True, u'dns_api_version': '2', u'object_store_api_version': u'1', 'verbose_level': 3, 'region_name': 'RegionOne', 'api_timeout': None, u'baremetal_api_version': u'1', 'queues_api_version': '1.1', 'auth': {'username': 'admin', 'project_name': 'admin', 'password': '***', 'auth_url': 'http://192.168.0.2:5000/'}, 'default_domain': 'Default', u'container_api_version': u'1', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'cacert': None, u'key_manager_api_version': '1', u'metering_api_version': u'2', 'deferred_help': False, u'identity_api_version': u'2.0', 'workflow_api_version': '2', u'volume_api_version': u'2', 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': None, u'disable_vendor_agent': {}}

Revision history for this message

Denis Puchkin (dpuchkin) wrote on 2016-04-07:

#9

CR for 8.0 https://review.fuel-infra.org/#/c/18655/

Vitaly Sedelnik (vsedelnik) on 2016-05-11

information type:

Private Security → Public Security

	Status	Importance	Assigned to	Milestone
Mirantis OpenStack	Confirmed	High	Denis Puchkin	Mirantis OpenStack 8.0-mu-1
7.0.x	Fix Released	High	Alexey Khivin	Mirantis OpenStack 7.0-mu-1
8.0.x	Fix Released	High	Denis Puchkin	Mirantis OpenStack 8.0-mu-1
9.x	Fix Released	High	MOS Keystone	Mirantis OpenStack 9.0

Mirantis OpenStack

[no-OSSN-yet] Python-keystoneclient: session fails to sanitize response body of passwords (no-CVE-yet)

Bug Description

Other bug subscribers

Remote bug watches