mask_password is overzealous

Bug #1482382 reported by Matthew Edmonds
32
This bug affects 6 people
Affects Status Importance Assigned to Milestone
oslo.concurrency
Fix Released
Undecided
prashkre
oslo.utils
Invalid
Undecided
Unassigned

Bug Description

I created a new cinder volume that included "password" in the name, and this caused a number of problems that were traced back to mask_password. The r'(%(key)s\s*--?[A-z]+\s*)\S+(\s*)' pattern matched the backend volume id ("volume-wmevol_san_password-fa002fa2-79d6") causing the strutils.mask_password(stdout) call in oslo_concurrency.processutils.ssh_execute() to take the correct output of a "svcinfo lsvdisk -bytes -delim :" command:

593:volume-wmevol_san_password-fa002fa2-79d6:0:io_grp0:online:0:npiv_pool:1073741824:striped:::::6005076802820A9DA80000000000AAD8:0:1:empty:1:no:0

and change it to:

593:volume-wmevol_san_password-fa****

It appears that this pattern was first added under [1] and then later modified with [2].

[1] https://github.com/openstack/oslo-incubator/commit/cdcc19c1d78a4a88daabfb64b27abd4924aa442d
[2] https://github.com/openstack/oslo-incubator/commit/e9bb0b596650540f336afb070a1f8c7de099721f

Revision history for this message
Doug Hellmann (doug-hellmann) wrote :

Was there a problem creating the volume, or just with the logging of the operation?

Revision history for this message
Matthew Edmonds (edmondsw) wrote :

Neither... the volume was created, but I was unable to delete it. I suspect this is the cause, and may cause other issues as well.

Revision history for this message
Matthew Edmonds (edmondsw) wrote :

I don't think volume attach would work on this volume, since the lsvdisk call here [1] should hit this problem:

def get_vdisk_attributes(self, vdisk):
    attrs = self.ssh.lsvdisk(vdisk)
    return attrs

Etc.

[1] https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/ibm/storwize_svc/helpers.py#L633

Revision history for this message
ChangBo Guo(gcb) (glongwave) wrote :

Is this still a valid issue, from the bug description, it likes cinder use mask_password. We usuall use this method to log something. Can you point out how to use it in Cinder ?

Changed in oslo.utils:
status: New → Incomplete
Revision history for this message
Sean McGinnis (sean-mcginnis) wrote :

No response for more info. Please reopen if this is still seen.

Changed in cinder:
status: New → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for oslo.utils because there has been no activity for 60 days.]

Changed in oslo.utils:
status: Incomplete → Expired
Changed in oslo.utils:
status: Expired → Confirmed
Changed in cinder:
status: Invalid → Confirmed
Revision history for this message
ChangBo Guo(gcb) (glongwave) wrote :

any update ?

Revision history for this message
prashkre (prashkre) wrote :

Same issue is seen in my environment i.e. volume details are masked by stdout = strutils.mask_password(stdout) at [0] when "password" string exists in its name. In cinder, oslo_concurrency/processutils.ssh_execute() at [1] is being invoked at many places to run a command over ssh session and parse the returned output from it to get required information but due to above masking behavior before output is parsed(outside of processutils.ssh_execute()) causing an issue.

[0] https://github.com/openstack/oslo.concurrency/blob/master/oslo_concurrency/processutils.py#L540
[1] https://github.com/openstack/oslo.concurrency/blob/master/oslo_concurrency/processutils.py#L504

Revision history for this message
Matthew Edmonds (edmondsw) wrote :

mask_password is just a mess. See comments in https://review.openstack.org/#/c/385197/ . At this point I'm convinced that we should have more specific methods for different cases, e.g. ssh_execute here, instead of a general method that tries to cover too many cases and thus can't handle any of them very well, which is what mask_password is today.

prashkre (prashkre)
Changed in cinder:
assignee: nobody → prashkre (prashkre)
Changed in oslo.utils:
assignee: nobody → prashkre (prashkre)
Changed in oslo.concurrency:
assignee: nobody → prashkre (prashkre)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to oslo.concurrency (master)

Fix proposed to branch: master
Review: https://review.openstack.org/537823

Changed in oslo.concurrency:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to oslo.concurrency (master)

Reviewed: https://review.openstack.org/537823
Committed: https://git.openstack.org/cgit/openstack/oslo.concurrency/commit/?id=21ae27e66d77f276c23a7ca2eaa8869438fb4d31
Submitter: Zuul
Branch: master

commit 21ae27e66d77f276c23a7ca2eaa8869438fb4d31
Author: prashkre <email address hidden>
Date: Thu Jan 25 13:41:42 2018 +0530

    Mask passwords only when command execution fails

    At many places, processutils.ssh_execute() is being invoked to run
    a command over ssh and output returned is parsed to get appropriate
    information. In this flow, unsanitized output is being expected
    where processutils.ssh_execute() was invoked but found that
    output like volume details(containing "password" string in its name)
    is being masked away with strutils.mask_password(stdout) even though
    no error occured during command execution.

    This is regression issue from patch[0]. In this fix, stdout and stderr
    in processutils.ssh_execute() will be masked only when
    ProcessExecutionError exception is thrown i.e. command execution failed
    due to some reasons.

    [0] https://github.com/openstack/oslo.concurrency/commit/
    ae9e05bfc3d7ec867bd6ec78c301f11c2bdd0d5f

    Change-Id: I2ce344330905eef437ef3f89a2a01169a30df8ab
    Closes-Bug: #1482382

Changed in oslo.concurrency:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to oslo.concurrency (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/547388

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to oslo.concurrency (stable/queens)

Reviewed: https://review.openstack.org/547388
Committed: https://git.openstack.org/cgit/openstack/oslo.concurrency/commit/?id=0c4718fcb77e9f4e3a22ae458869b7294b7bc91f
Submitter: Zuul
Branch: stable/queens

commit 0c4718fcb77e9f4e3a22ae458869b7294b7bc91f
Author: prashkre <email address hidden>
Date: Thu Jan 25 13:41:42 2018 +0530

    Mask passwords only when command execution fails

    At many places, processutils.ssh_execute() is being invoked to run
    a command over ssh and output returned is parsed to get appropriate
    information. In this flow, unsanitized output is being expected
    where processutils.ssh_execute() was invoked but found that
    output like volume details(containing "password" string in its name)
    is being masked away with strutils.mask_password(stdout) even though
    no error occured during command execution.

    This is regression issue from patch[0]. In this fix, stdout and stderr
    in processutils.ssh_execute() will be masked only when
    ProcessExecutionError exception is thrown i.e. command execution failed
    due to some reasons.

    [0] https://github.com/openstack/oslo.concurrency/commit/
    ae9e05bfc3d7ec867bd6ec78c301f11c2bdd0d5f

    Change-Id: I2ce344330905eef437ef3f89a2a01169a30df8ab
    Closes-Bug: #1482382
    (cherry picked from commit 21ae27e66d77f276c23a7ca2eaa8869438fb4d31)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/549323

Changed in cinder:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/oslo.concurrency 3.26.0

This issue was fixed in the openstack/oslo.concurrency 3.26.0 release.

Changed in cinder:
assignee: prashkre (prashkre) → Eric Harney (eharney)
Eric Harney (eharney)
Changed in cinder:
assignee: Eric Harney (eharney) → prashkre (prashkre)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/oslo.concurrency 3.25.1

This issue was fixed in the openstack/oslo.concurrency 3.25.1 release.

Eric Harney (eharney)
no longer affects: cinder
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 14.0.0.0rc1

This issue was fixed in the openstack/cinder 14.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/requirements rocky-eol

This issue was fixed in the openstack/requirements rocky-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/requirements stein-eol

This issue was fixed in the openstack/requirements stein-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/requirements yoga-eom

This issue was fixed in the openstack/requirements yoga-eom release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/requirements train-eol

This issue was fixed in the openstack/requirements train-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/requirements ussuri-eol

This issue was fixed in the openstack/requirements ussuri-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/requirements victoria-eom

This issue was fixed in the openstack/requirements victoria-eom release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/requirements wallaby-eom

This issue was fixed in the openstack/requirements wallaby-eom release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/requirements xena-eom

This issue was fixed in the openstack/requirements xena-eom release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/requirements zed-eom

This issue was fixed in the openstack/requirements zed-eom release.

Revision history for this message
Takashi Kajinami (kajinamit) wrote (last edit ):

The actual issue was fixed in oslo.concurrency. We may be able to fix mask_password itself but it's not critical and given the fact no one has worked on it for very long time, it may not likely be fixed.

Changed in oslo.utils:
assignee: prashkre (prashkre) → nobody
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.