OpenStack Compute (nova)

libvirt volume.py's _run_iscsiadm function logs iscsi node.session.auth.password if debug

Bug #1320028 reported by Brad Pokorny on 2014-05-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Undecided	Brad Pokorny	OpenStack Compute (nova) 2014.2 "juno"
	oslo-incubator	Fix Released	Medium	Brad Pokorny	oslo-incubator juno-2 "j2"

Bug Description

If debug logging is enabled, the _run_iscsiadm function in volume.py logs the iscsi node.session.auth.password in plain text.

2014-05-13 08:12:21.915 29013 DEBUG nova.virt.libvirt.volume [req-d21bb680-feb9-4242-9d18-057af79d26e8 0 3112d0d7268b458bb5c997c33cd8a8c0] iscsiadm ('--op', 'update', '-n', 'node.session.auth.password', '-v', u'password'): stdout= stderr= _run_iscsiadm /usr/lib/python2.7/site-packages/nova/virt/libvirt/volume.py:248

Tags:

Brad Pokorny (bpokorny) on 2014-05-15

Changed in nova:
assignee:	nobody → Brad Pokorny (bpokorny)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-05-16: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/93850

Changed in nova:
status:	New → In Progress

Brad Pokorny (bpokorny) on 2014-05-16

tags:

added: libvirt security

Revision history for this message

Brad Pokorny (bpokorny) wrote on 2014-05-18:

This requires changes to the oslo mask password code as well.

Changed in oslo:
assignee:	nobody → Brad Pokorny (bpokorny)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-05-18: Fix proposed to oslo-incubator (master)

Fix proposed to branch: master
Review: https://review.openstack.org/94109

Changed in oslo:
status:	New → In Progress

Ben Nemec (bnemec) on 2014-05-19

Changed in oslo:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-05-20: Fix merged to oslo-incubator (master)

Reviewed: https://review.openstack.org/94109
Committed: https://git.openstack.org/cgit/openstack/oslo-incubator/commit/?id=cdcc19c1d78a4a88daabfb64b27abd4924aa442d
Submitter: Jenkins
Branch: master

commit cdcc19c1d78a4a88daabfb64b27abd4924aa442d
Author: Brad Pokorny <email address hidden>
Date: Sun May 18 18:26:33 2014 +0000

Mask passwords that are included in commands

    The current password masking doesn't scrub passwords from commands
    that may be written to log files. This commit adds support for
    scrubbing passwords provided as options with commands.

Adds tests to ensure commands are properly sanitized.

Change-Id: I37b9a80142ec5dcadb731332d8c5f494bdc7bfc1
Closes-Bug: #1320028

Changed in oslo:
status:	In Progress → Fix Committed

Revision history for this message

Brad Pokorny (bpokorny) wrote on 2014-06-02:

Review submitted for a specific case that wasn't handled previously:
https://review.openstack.org/#/c/97305

Changed in oslo:
status:	Fix Committed → In Progress

Revision history for this message

Matt Riedemann (mriedem) wrote on 2014-06-25:

partial oslo sync https://review.openstack.org/#/c/102594/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-27:

Reviewed: https://review.openstack.org/97305
Committed: https://git.openstack.org/cgit/openstack/oslo-incubator/commit/?id=5e3d3a544f803c453cb86a7df04becd6a7b1a4c3
Submitter: Jenkins
Branch: master

commit 5e3d3a544f803c453cb86a7df04becd6a7b1a4c3
Author: Brad Pokorny <email address hidden>
Date: Mon Jun 2 18:06:37 2014 +0000

Mask passwords included without quotes at the ends of commands

    The current password masking doesn't scrub passwords from commands
    in the case where the password doesn't have quotes around it and
    the password is the last string in the command. This commit updates
    one of the regular expressions to catch this case.

Adds tests to ensure passwords at the ends of commands are properly
sanitized.

Change-Id: Id57a0cb05cd76ef8c26def738305ade6b085aaa7
Closes-Bug: #1320028

Changed in oslo:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-27: Fix merged to nova (master)

Reviewed: https://review.openstack.org/102594
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=eb7b63d79d28581a7dd23645488de323b99f8463
Submitter: Jenkins
Branch: master

commit eb7b63d79d28581a7dd23645488de323b99f8463
Author: Matt Riedemann <email address hidden>
Date: Wed Jun 25 09:20:25 2014 -0700

Sync log and processutils from oslo

This is mainly to pick up two changes in processutils:

85f1784 Move nova.utils.cpu_count() to processutils module
cdcc19c Mask passwords that are included in commands

    Commit cdcc19c touches the log module so when copying processutils over
    we also copy log, otherwise no other dependencies are copied. Going
    through the commit history on both and the diff from nova, there are no
    other commits sync'ed over that require changes to other dependent
    modules.

Commit 85f1784 is targeted so we can remove the redundant code from
nova.utils.

Changes:

    processutils
    ------------
    85f1784 Move nova.utils.cpu_count() to processutils module
    cdcc19c Mask passwords that are included in commands
    8a0f567 Remove str() from LOG.* and exceptions
    51778f9 Allow passing environment variables to execute()

    log
    ---
    109e325 Use oslo.messaging to publish log errors
    de4adbc pep8: fixed multiple violations
    eac71f5 Fix common.log.ContextFormatter for Python 3
    d78b633 Fixes a simple spelling mistake
    621d831 always log a traceback in the sys.excepthook
    90ae24b Remove redundant default=None for config options
    af36c2a Fix logging setup for Python 3.4
    cdcc19c Mask passwords that are included in commands

Partial-Bug: #1320028
Related-Bug: #1333370

Change-Id: I8d12661782e8ad065b01aa582e42c142cc2f4076

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-01: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/103974

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-02: Change abandoned on nova (master)

#10

Change abandoned by Brad Pokorny (<email address hidden>) on branch: master
Review: https://review.openstack.org/103974
Reason: Abandoning this one due to Sean's review.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-19: Fix merged to nova (master)

#11

Reviewed: https://review.openstack.org/93850
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=54458334136b284bb0c45373e7cacf5c1fa0ab99
Submitter: Jenkins
Branch: master

commit 54458334136b284bb0c45373e7cacf5c1fa0ab99
Author: Brad Pokorny <email address hidden>
Date: Fri May 16 03:59:36 2014 +0000

Mask node.session.auth.password in volume.py _run_iscsiadm debug logs

    The iscsi_command object passed to _run_iscsiadm can contain passwords
    that get logged at debug level, so we need to sanitize the message
    getting logged.

Adds a test to ensure the logged message is properly sanitized.

Closes-Bug: #1320028

Change-Id: I33f1a5b698368504721b41e56266162a713b3ce6

Changed in nova:
status:	In Progress → Fix Committed

Russell Bryant (russellb) on 2014-07-23

Changed in nova:
milestone:	none → juno-2
status:	Fix Committed → Fix Released

Russell Bryant (russellb) on 2014-07-23

Changed in oslo:
milestone:	none → juno-2
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in nova:
milestone:	juno-2 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.