Execution plan logging may reveal sensitive information

Bug #1706059 reported by Gerry Buteau on 2017-07-24
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Gerry Buteau

Bug Description

Execution plans are logged when received in the murano-agent if debug is enabled. Plans may contain sensitive information (passwords, security tokens, etc...). They should be sanitized before being logged.

Since murano-agent uses oslo_logging, we should use the built-in utility, oslo_utils/strutils, to mask any potentially sensitive information before writing plans to the log.

Changed in murano:
assignee: nobody → Gerry Buteau (gerry.buteau)

Fix proposed to branch: master
Review: https://review.openstack.org/486641

Changed in murano:
status: New → In Progress

Reviewed: https://review.openstack.org/486641
Committed: https://git.openstack.org/cgit/openstack/murano-agent/commit/?id=7473dc7306d436b70b17ed512117c67ad65ca3ad
Submitter: Jenkins
Branch: master

commit 7473dc7306d436b70b17ed512117c67ad65ca3ad
Author: Gerry Buteau <email address hidden>
Date: Mon Jul 24 10:25:23 2017 -0400

    Mask sensitive information before logging execution plan.

    Use oslo_utils.strutils to mask any potentially sensitive
    information in the execution plan before writing to the log.

    Change-Id: I9008dcd68da4ba14bbf1360a672e1a91ae0a8e91
    Closes-Bug: #1706059

Changed in murano:
status: In Progress → Fix Released

This issue was fixed in the openstack/murano-agent 3.3.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers