Unredacted X-Auth-Token logged at level DEBUG in nova-api when HTTP status code != 2xx
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Critical
|
Sylvain Bauza | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Noticed this while working on something else, if the API is going to return a non 2xx HTTP success status code, a lot of request details are logged including the user's unsanitized auth token. In the past, operators considered this to be a security issue despite logging only at level DEBUG. For this reason I am opening a bug for review.
This particular logging code was added in the Zed release:
https:/
These are logged a lot when using OSC + server names because OSC always tries to lookup a name as a UUID (which will fail with 404) before it falls back on trying it as an ID. So commands such as 'openstack server show MyServer' will produce debug logs like the following.
Example log for GET /servers HTTP 404:
Mar 28 01:11:57 ubuntu-focal <email address hidden>[3890335]: INFO nova.api.
Mar 28 01:11:57 ubuntu-focal <email address hidden>[3890335]: DEBUG nova.api.
Mar 28 01:11:57 ubuntu-focal <email address hidden>[3890335]: request: GET /compute/
Mar 28 01:11:57 ubuntu-focal <email address hidden>[3890335]: Accept: application/json
Mar 28 01:11:57 ubuntu-focal <email address hidden>[3890335]: Accept-Encoding: gzip, deflate
Mar 28 01:11:57 ubuntu-focal <email address hidden>[3890335]: Connection: keep-alive
Mar 28 01:11:57 ubuntu-focal <email address hidden>[3890335]: Content-Length: 0
Mar 28 01:11:57 ubuntu-focal <email address hidden>[3890335]: Host: 192.168.44.11
Mar 28 01:11:57 ubuntu-focal <email address hidden>[3890335]: Openstack-
Mar 28 01:11:57 ubuntu-focal <email address hidden>[3890335]: User-Agent: python-novaclient
Mar 28 01:11:57 ubuntu-focal <email address hidden>[3890335]: X-Auth-Token: gAAAAABkIj7cGDJ
2-gYiWUyMAYW6A1
[...]
Full log trace:
description: | updated |
description: | updated |
description: | updated |
description: | updated |
I think we should revert https:/ /review. opendev. org/c/openstack /nova/+ /806683 asap and backport that revert. Leaking user tokens in the log (even in DEBUG) is a no-no for me.