OpenStack Compute (Nova)

Auth token is present in clear text in nova-network log file

Reported by Satya Sanjibani Routray on 2012-03-16
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Low
Russell Bryant

Bug Description

checked the nova-network.log file in a compute node and found the auth token, project ID is listed in clear test

<snip>
2012-03-15 06:25:23,848 DEBUG nova.rpc [-] skipping a message reply due to a value of None returned by the func: <bound method FlatDHCPManager.lease_fixed_ip of <nova.network.manager.FlatDHCPManager object at 0x17827d0>> from (pid=30663) _process_data /usr/lib/python2.7/dist-packages/nova/rpc/impl_kombu.py:669
2012-03-15 06:25:27,776 DEBUG nova [-] Greenthread (id:44345280) for consumers is alive from (pid=30663) check_consumers /usr/lib/python2.7/dist-packages/nova/service.py:440
2012-03-15 06:25:47,566 DEBUG nova.rpc [-] received {u'_context_roles': [u'netadmin', u'sysadmin', u'sysadmin', u'block-admin', u'user', u'domainuser', u'domainadmin'], u'_msg_id': u'031f184bb2c84c50b3436e8b58f9741f', u'_context_read_deleted': False, u'_context_request_id': u'c1d9300c-fb28-4181-9ebf-c1efa841af36', u'args': {u'project_id': u'47546022661210', u'requested_networks': None, u'instance_type_id': 13, u'instance_id': 106709, u'host': u'<node>, u'vpn': False}, u'_context_auth_token': u'4f61347ae4b0e5ef681619d8', u'_context_strategy': u'keystone', u'_context_is_admin': True, u'_context_project_id': u'47546022661210', u'_context_timestamp': u'2012-03-15T06:25:43.424604', u'_context_user_id': u'48283109960375', u'method': u'allocate_for_instance', u'_context_remote_address': u'15.184.9.134'} from (pid=30663) __call__ /usr/lib/python2.7/dist-packages/nova/rpc/impl_kombu.py:634
2012-03-15 06:25:47,566 DEBUG nova.rpc [-] unpacked context: {'user_id': u'48283109960375', 'roles': [u'netadmin', u'sysadmin', u'sysadmin', u'block-admin', u'user', u'domainuser', u'domainadmin'], 'timestamp': u'2012-03-15T06:25:43.424604', 'auth_token': u'4f61347ae4b0e5ef681619d8', 'msg_id': u'031f184bb2c84c50b3436e8b58f9741f', 'remote_address': u'15.184.9.134', 'strategy': u'keystone', 'is_admin': True, 'request_id': u'c1d9300c-fb28-4181-9ebf-c1efa841af36', 'project_id': u'47546022661210', 'read_deleted': False} from (pid=30663) _unpack_context /usr/lib/python2.7/dist-packages/nova/rpc/impl_kombu.py:689
<snip>

Thierry Carrez (ttx) wrote :

Adding PTL for impact discussion

Thierry Carrez (ttx) wrote :

Not totally convinced it's inappropriate in DEBUG logs.

tags: added: essex-rc-potential
Changed in nova:
status: New → Incomplete
Thierry Carrez (ttx) wrote :

Marking public, like we did for other bugs in the same area.

visibility: private → public
Vish Ishaya (vishvananda) wrote :

seems reasonable to remove it or perhaps put first four characters + ....... or XXXXX

Changed in nova:
status: Incomplete → Triaged
importance: Undecided → Low

Fix proposed to branch: master
Review: https://review.openstack.org/5647

Changed in nova:
assignee: nobody → Russell Bryant (russellb)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/5647
Committed: http://github.com/openstack/nova/commit/5de274c98c82bae579396fc8e5062ac15d82934e
Submitter: Jenkins
Branch: master

commit 5de274c98c82bae579396fc8e5062ac15d82934e
Author: Russell Bryant <email address hidden>
Date: Wed Mar 21 16:25:14 2012 -0400

    Strip auth token from log output.

    Fix bug 956777.

    This patch updates _safe_log, which is used for rpc debug logs, to not
    include auth tokens.

    Change-Id: I36bb4233acd356f85b0e6006a6b812a67605b393

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-03-26
Changed in nova:
milestone: none → essex-rc2
tags: removed: essex-rc-potential

Reviewed: https://review.openstack.org/5775
Committed: http://github.com/openstack/nova/commit/7ce1669f7c31195426c7769240b700459459fa09
Submitter: Jenkins
Branch: milestone-proposed

commit 7ce1669f7c31195426c7769240b700459459fa09
Author: Russell Bryant <email address hidden>
Date: Wed Mar 21 16:25:14 2012 -0400

    Strip auth token from log output.

    Fix bug 956777.

    This patch updates _safe_log, which is used for rpc debug logs, to not
    include auth tokens.

    Change-Id: I36bb4233acd356f85b0e6006a6b812a67605b393

Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-04-05
Changed in nova:
milestone: essex-rc2 → 2012.1
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers