oslo-incubator

db connection string is cleartext in debug log

Bug #1266590 reported by Brant Knudson on 2014-01-06

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Glance	Fix Released	Medium	Feilong Wang	Glance 2014.1 "icehouse"
OpenStack Identity (keystone)	Fix Released	Medium	Brant Knudson	OpenStack Identity (keystone) 2014.1 "icehouse"
oslo-incubator	Fix Released	Undecided	Brant Knudson	oslo-incubator 2014.1 "icehouse"

Bug Description

When I start up keystone-all with --debug it logs the config settings. The config setting for the database connection string is printed out:

(keystone-all): 2014-01-06 16:32:56,983 DEBUG cfg log_opt_values database.connection = mysql://root:rootpwd@127.0.0.1/keystone?charset=utf8

The database connection string will typically contain the user password, so this value should be masked (like admin_token).

This is a regression from Havana, which masked the db connection string.

Brant Knudson (blk-u) on 2014-01-06

Changed in oslo:
assignee:	nobody → Brant Knudson (blk-u)
Changed in keystone:
assignee:	nobody → Brant Knudson (blk-u)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-06: Fix proposed to oslo-incubator (master)

Fix proposed to branch: master
Review: https://review.openstack.org/65167

Changed in oslo:
status:	New → In Progress

Brant Knudson (blk-u) on 2014-01-06

summary:

- db connection string in cleartext in debug log
+ db connection string is cleartext in debug log

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-08: Fix merged to oslo-incubator (master)

Reviewed: https://review.openstack.org/65167
Committed: https://git.openstack.org/cgit/openstack/oslo-incubator/commit/?id=fa0f36fae9d572535d10a7e99297faed700ba584
Submitter: Jenkins
Branch: master

commit fa0f36fae9d572535d10a7e99297faed700ba584
Author: Brant Knudson <email address hidden>
Date: Mon Jan 6 16:42:29 2014 -0600

Fix database connection string is secret

    The database connection string was not marked as secret, so it
    would be printed out in cleartext in the logs when config settings
    were logged.

    The database connection string typically contains the password
    that's used to connect to the database, so it should be marked as
    secret so that it doesn't get logged.

Change-Id: If6e1026814262c961a4f22d90f546cec34831bc8
Closes-Bug: #1266590

Changed in oslo:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-09: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/65713

Changed in keystone:
status:	New → In Progress

Feilong Wang (flwang) on 2014-01-21

Changed in glance:
status:	New → Triaged
importance:	Undecided → Medium
assignee:	nobody → Fei Long Wang (flwang)

Dolph Mathews (dolph) on 2014-01-22

Changed in keystone:
importance:	Undecided → Medium

Thierry Carrez (ttx) on 2014-01-23

Changed in oslo:
milestone:	none → icehouse-2
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-24: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/65713
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=665cff12dddefb75c3e8fb6c810ef76fd545ea4f
Submitter: Jenkins
Branch: master

commit 665cff12dddefb75c3e8fb6c810ef76fd545ea4f
Author: Brant Knudson <email address hidden>
Date: Thu Jan 9 10:04:33 2014 -0600

Merge db.sqlalchemy from oslo-incubator af5f710

The db.sqlalchemy module was not recent with oslo-incubator.

     $ git checkout af5f71096c7bb83fe2f956588a9ec643b0d9a2f6
     $ python update.py --nodeps --base keystone \
       --dest-dir ../keystone --modules db.sqlalchemy

The af5f710 oslo-incubator db.sqlalchemy contains a fix for the
following problem, which caused a regression in Keystone:

    The database connection string was not marked as secret, so it
    would be printed out in cleartext in the logs when config settings
    were logged.

    The database connection string typically contains the password
    that's used to connect to the database, so it should be marked as
    secret so that it doesn't get logged.

Change-Id: Ibdc63480a836646c5571a368f3c3a1d0c82d6aba
Closes-Bug: #1266590

Changed in keystone:
status:	In Progress → Fix Committed

Feilong Wang (flwang) on 2014-02-21

Changed in glance:
status:	Triaged → Fix Committed

Jay Bryant (jsbryant) on 2014-02-21

Changed in cinder:
assignee:	nobody → Jay Bryant (jsbryant)
milestone:	none → icehouse-3

Jay Bryant (jsbryant) on 2014-02-27

Changed in cinder:
importance:	Undecided → High

Thierry Carrez (ttx) on 2014-03-05

Changed in glance:
milestone:	none → icehouse-3
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-03-05

Changed in cinder:
milestone:	icehouse-3 → icehouse-rc1

Thierry Carrez (ttx) on 2014-03-05

Changed in keystone:
milestone:	none → icehouse-3
status:	Fix Committed → Fix Released

Revision history for this message

John Griffith (john-griffith) wrote on 2014-03-25:

Cinder has the secret=True setting in the conf options already, so the DNE Cinder.

no longer affects:

cinder

Thierry Carrez (ttx) on 2014-04-17

Changed in oslo:
milestone:	icehouse-2 → 2014.1

Thierry Carrez (ttx) on 2014-04-17

Changed in keystone:
milestone:	icehouse-3 → 2014.1

Thierry Carrez (ttx) on 2014-04-17

Changed in glance:
milestone:	icehouse-3 → 2014.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.