networking-arista

Keystone admin password leaked via logs

Bug #1634937 reported by Paul Bourke
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
networking-arista
Fix Released
Undecided
Unassigned

Bug Description

Within networking_arista/ml2/arista_ml2.py, the register_with_eos() method takes care to redact the keystone password by maintaining a copy of "cmds" in "log_cmds" (https://github.com/openstack/networking-arista/blob/master/networking_arista/ml2/arista_ml2.py#L1599)

cmds and log_cmds are then passed through _run_openstack_cmds() -> _run_eos_cmds() -> _send_eapi_req(). However, _send_eapi_req() does not have an argument for log_cmds, and ends up logging the password on line 1118 (https://github.com/openstack/networking-arista/blob/master/networking_arista/ml2/arista_ml2.py#L1118)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-arista (master)

Reviewed: https://review.openstack.org/388747
Committed: https://git.openstack.org/cgit/openstack/networking-arista/commit/?id=9039b8a46b047b61ce672422bcfc13550399838f
Submitter: Jenkins
Branch: master

commit 9039b8a46b047b61ce672422bcfc13550399838f
Author: Paul Bourke <email address hidden>
Date: Wed Oct 19 16:00:18 2016 +0100

    Redact keystone password from logs in arista_ml2

    Within networking_arista/ml2/arista_ml2.py, the register_with_eos()
    method takes care to redact the keystone password by maintaining a copy
    of "cmds" in "log_cmds".

    cmds and log_cmds are then passed through _run_openstack_cmds() ->
    _run_eos_cmds() -> _send_eapi_req(). However, _send_eapi_req() does not
    have an argument for log_cmds, and ends up logging the password on line
    1118.

    Fix this by updating _send_eapi_req() to accept 'commands_to_log', and
    subbing those into the msg to be logged.

    Change-Id: I42a79f6e5f5352d982641ffc16215e1919355fda
    Closes-Bug: #1634937

Changed in networking-arista:
status: New → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to networking-arista (master)

Fix proposed to branch: master
Review: https://review.openstack.org/388998

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/389106

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on networking-arista (master)

Change abandoned by Paul Bourke (pbourke) (<email address hidden>) on branch: master
Review: https://review.openstack.org/389106

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-arista (master)

Reviewed: https://review.openstack.org/388998
Committed: https://git.openstack.org/cgit/openstack/networking-arista/commit/?id=22ab1faacb54d4f851322fb46df71325c6ddff90
Submitter: Jenkins
Branch: master

commit 22ab1faacb54d4f851322fb46df71325c6ddff90
Author: Mitchell Jameson <email address hidden>
Date: Wed Oct 19 21:55:19 2016 -0700

    Redact keystone password from logs in arista_ml2

    Within networking_arista/ml2/arista_ml2.py, the register_with_eos()
    method takes care to redact the keystone password by maintaining a copy
    of "cmds" in "log_cmds".

    cmds and log_cmds are then passed through _run_openstack_cmds() ->
    _run_eos_cmds() -> _send_eapi_req(). However, _send_eapi_req() does not
    have an argument for log_cmds, and ends up logging the password on line
    1118.

    Fix this by updating _send_eapi_req() to accept 'commands_to_log', and
    subbing those into the msg to be logged.

    Change-Id: I23f816857e421dcbeba6f3313e2e6613ce62db4e
    Closes-Bug: #1634937
    Co-Authored-By: Paul Bourke <email address hidden>

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.