OpenStack Compute (nova)

RFE: block_device_info dict should have a password key rather than clear password

Bug #1321785 reported by Matt Riedemann
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Matt Riedemann
oslo.versionedobjects
Fix Released
Medium
Matt Riedemann
oslo.versionedobjects 1.1.0 "1.1.0"

Bug Description

See bug 1319943 and the related patch https://review.openstack.org/#/c/93787/ for details, but right now the block_device_info dict passed around in the nova virt driver can contain a clear text password for the auth_password key.

That bug and patch are masking the password when logged in the immediate known locations, but this could continue to crop up so we should change the design such that the block_device_info dict doesn't contain the password but rather a key to a store that nova can retrieve the password for use.

Comment from Daniel Berrange in the patch above:

"Long term I think we need to figure out a way to remove the passwords from any data dicts we pass around. Ideally the block device info would merely contain something like a UUID to identify a password, which Nova could use to fetch the actual password from a secure password manager service at time of use. Thus we wouldn't have to worry about random objects/dicts containing actual passwords. Obviously this isn't something we can do now, but could you file an RFE to address this from a design POV, because masking passwords at time of logging call is not really a viable long term strategy IMHO."

Davanum Srinivas (DIMS) (dims-v)
Changed in nova:
status: New → Confirmed
importance: Undecided → Wishlist
Revision history for this message
Matt Riedemann (mriedem) wrote :

Ideally we'd turn connection_info into a nova object and it would have a __repr__ method that would mask the values by default. Then we could use the ConnectionInfo object in the BlockDeviceMapping object and we wouldn't have to worry about this when things get logged.

tags: added: volumes
Revision history for this message
Matt Riedemann (mriedem) wrote :

Some discussion on this in the mailing list:

http://lists.openstack.org/pipermail/openstack-dev/2015-June/066471.html

Matt Riedemann (mriedem)
no longer affects: nova/icehouse
Matt Riedemann (mriedem)
Changed in oslo.versionedobjects:
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Matt Riedemann (mriedem)
Revision history for this message
Matt Riedemann (mriedem) wrote :

oslo.versionedobjects change: https://review.openstack.org/#/c/233151/

Changed in oslo.versionedobjects:
status: Confirmed → In Progress
Revision history for this message
ChangBo Guo(gcb) (glongwave) wrote :

The fix for oslo.versionedobjects was merged.

Changed in oslo.versionedobjects:
status: In Progress → Fix Committed
Davanum Srinivas (DIMS) (dims-v)
Changed in oslo.versionedobjects:
milestone: none → 1.1.0
status: Fix Committed → Fix Released
Revision history for this message
Sean Dague (sdague) wrote :

I'm assuming we just pick this up from oslo.vo and there isn't a nova change?

Changed in nova:
status: Confirmed → Fix Released
Revision history for this message
Daniel Berrange (berrange) wrote :

The ovo change merely added a new SensitiveString field type. We still have to actually convert Nova to use that new field type where needed

Changed in nova:
status: Fix Released → Confirmed
Matt Riedemann (mriedem)
Changed in nova:
importance: Wishlist → Medium
assignee: nobody → Matt Riedemann (mriedem)
tags: added: unified-objects
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/288927

Changed in nova:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/288927
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=db50aaca0acdf7814a8d6673545db94738907131
Submitter: Jenkins
Branch: master

commit db50aaca0acdf7814a8d6673545db94738907131
Author: Matt Riedemann <email address hidden>
Date: Sat Mar 5 13:40:52 2016 -0500

    Use SensitiveStringField for BlockDeviceMapping.connection_info

    bd977f400a1192d5cf7c2b52ef91615c0828813c added the SensitiveStringField
    to oslo.versionedobjects. SensitiveStringField is a StringField, which
    is what BlockDeviceMapping.connection_info was already using. The difference
    is that a SensitiveStringField masks passwords in the 'stringify' method,
    which is what's used when __repr__ is called on the object.

    Since BDM.connection_info can contain credentials, and the connection_info
    dict gets passed around quite a bit in the compute manager and virt drivers,
    it has from time to time gotten logged without first masking passwords.

    This makes the object handle masking the password so we don't have to do it
    explicitly anymore.

    There is no version bump on the BlockDeviceMapping object since nothing has
    functionally changed.

    Change-Id: I66a0b5f6834034e2fcbefc4510e3aa018edec310
    Closes-Bug: #1321785

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/nova 13.0.0.0rc1

This issue was fixed in the openstack/nova 13.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.