os-brick

iscsiadm log shows passwords

Bug #1445137 reported by Walt Boring
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
Medium
Walt Boring
Cinder 7.0.0 "liberty"
os-brick
Fix Released
Medium
Walt Boring
os-brick 0.2.0 "0.2.0"

Bug Description

Hi,

I am wondering why screen-c-vol.log is displaying the CHAP secret.

Logs:

2015-04-16 16:04:23.288 7306 DEBUG oslo_concurrency.processutils [req-23c699df-7b21-48d2-ba14-d8ed06642050 ce8dccba9ccf48fb956060b3e54187a2 4ad219788df049e0b131e17f603d5faa - - -] CMD "sudo cinder-rootwrap /etc/cinder/rootwrap.conf iscsiadm -m node -T iqn.2015-04.acc1.tsm1:acc171fe6fc15fcc4bd4a841594b7876e3df -p 192.10.44.48:3260 --op update -n node.session.auth.password -v ***" returned: 0 in 0.088s execute /usr/local/lib/python2.7/dist-packages/oslo_concurrency/processutils.py:225

Above log hides the secret.

2015-04-16 16:04:23.290 7306 DEBUG cinder.brick.initiator.connector [req-23c699df-7b21-48d2-ba14-d8ed06642050 ce8dccba9ccf48fb956060b3e54187a2 4ad219788df049e0b131e17f603d5faa - - -] iscsiadm ('--op', 'update', '-n', 'node.session.auth.password', '-v', u'fakeauthgroupchapsecret'): stdout= stderr= _run_iscsiadm /opt/stack/cinder/cinder/brick/initiator/connector.py:455

However, this one does not hide the secret.

In addition, i find that the CHAP credentials are stored as plain string the database table (volumes).

I guess these are security risks in the current implementation. Any comments ?

Regards,
Yogesh
CloudByte Inc.

Walt Boring (walter-boring)
Changed in cinder:
status: New → Confirmed
Changed in os-brick:
status: New → Confirmed
assignee: nobody → Walt Boring (walter-boring)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to os-brick (master)

Fix proposed to branch: master
Review: https://review.openstack.org/174484

Changed in os-brick:
status: Confirmed → In Progress
Changed in cinder:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/174485

Walt Boring (walter-boring)
Changed in cinder:
importance: Undecided → Medium
Changed in os-brick:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/174485
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=64d7923f3665ce5f40572980e1ea65b3c4df02b7
Submitter: Jenkins
Branch: master

commit 64d7923f3665ce5f40572980e1ea65b3c4df02b7
Author: Walter A. Boring IV <email address hidden>
Date: Thu Apr 16 10:44:10 2015 -0700

    Mask passwords with iscsiadm commands

    This patch adds the fix that exists in the nova
    libvirt volume code to use oslo_utils strutils
    to mask passwords that might show up in debug log
    messages.

    Change-Id: I5c321d6b2627f186ff3dfe64ee7ad71f27a95cf0
    Closes-Bug: 1445137

Changed in cinder:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-brick (master)

Reviewed: https://review.openstack.org/174484
Committed: https://git.openstack.org/cgit/openstack/os-brick/commit/?id=7ee5a43a7562ff6064a9e9d8fcbc8fcdbe4bba7f
Submitter: Jenkins
Branch: master

commit 7ee5a43a7562ff6064a9e9d8fcbc8fcdbe4bba7f
Author: Walter A. Boring IV <email address hidden>
Date: Thu Apr 16 10:42:47 2015 -0700

    Mask passwords with iscsiadm commands

    This patch adds the fix that exists in the nova
    libvirt volume code to use oslo_utils strutils
    to mask passwords that might show up in debug log
    messages.

    Change-Id: I632eb4d71588736ab21327824d0506c13f3933ae
    Closes-Bug: 1445137

Changed in os-brick:
status: In Progress → Fix Committed
Doug Hellmann (doug-hellmann)
Changed in os-brick:
milestone: none → 0.2.0
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in cinder:
milestone: none → liberty-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in cinder:
milestone: liberty-1 → 7.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.