Comment 10 for bug 1787214
Revision history for this message
| Ken Giusti (kgiusti) wrote Re: [Bug 1787214] Re: Using use_json logging leaks credentials | #10 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Thanks Jeremy,
/me reads....
A fix is proposed as a patch to the current master branch (as well as any
> affected supported branches) and attached to the private bug report, not
> sent to the public code review system.
>
Aww crap....
On Wed, Aug 22, 2018 at 12:41 PM Jeremy Stanley <email address hidden> wrote:
> Ken: The process recommended by the OpenStack Vulnerability Management
> Team is documented at https:/
> (though since oslo.log and oslo.messaging haven't applied for VMT
> oversight they're not necessarily obliged to follow the timeline
> described there).
>
> --
> You received this bug notification because you are a bug assignee.
> https:/
>
> Title:
> Using use_json logging leaks credentials
>
> Status in oslo.log:
> Triaged
> Status in oslo.messaging:
> In Progress
>
> Bug description:
> The following was observed in the OpenStack Ansible CI when use_json
> was used in oslo.log, it looks like it passes out all the items
> serialized which can cause credentials to be leaked:
>
> http://
> functional-
> volume.
>
> [in case it gets deleted]
>
> Aug 15 11:10:33 ubuntu-
> volume[23478]: {"thread_name": "MainThread", "extra": {"project":
> "unknown", "version": "unknown"}, "process": 23478,
> "relative_created": 2235828.4900188446, "module": "impl_rabbit",
> "message": "[31818cce-
> server on 10.1.1.101:5672 via [amqp] client with port 54050.",
> "hostname": "ubuntu-
> "impl_rabbit.py", "levelno": 20, "lineno": 778, "asctime": "2018-08-15
> 11:10:33", "msg": "[%(connection_
> %(hostname)
> %(client_port)s.", "error_summary": "", "args": {"hostname":
> "10.1.1.101", "userid": "cinder", "password": "secrete",
> "virtual_host": "/cinder", "port": 5672, "insist": false, "ssl":
> false, "transport": "amqp", "connect_timeout": 5, "transport_
> {"on_blocked": "<function _on_connection_
> "on_unblocked": "<function _on_connection_
> 0x7fb2fc328320>", "client_
> volume:
> {"connection.
> "consumer_
> "login_method": "AMQPLAIN", "uri_prefix": null, "heartbeat": 60.0,
> "failover_
> 54050, "connection_id": "31818cce-
> "process_name": "MainProcess", "name":
> "oslo.messaging
> "created": 1534331433.086563, "traceback": null, "msecs":
> 86.5631103515625, "funcname": "on_reconnection", "pathname":
> "/openstack/
> packages/
> "levelname": "INFO"}
>
> Aug 15 11:10:33 ubuntu-
> volume[23478]: {"thread_name": "MainThread", "extra": {"project":
> "unknown", "version": "unknown"}, "process": 23478,
> "relative_created": 2235829.628944397, "module": "impl_rabbit",
> "message": "[b956eec0-
> server on 10.1.1.101:5672 via [amqp] client with port 54048.",
> "hostname": "ubuntu-
> "impl_rabbit.py", "levelno": 20, "lineno": 778, "asctime": "2018-08-15
> 11:10:33", "msg": "[%(connection_
> %(hostname)
> %(client_port)s.", "error_summary": "", "args": {"hostname":
> "10.1.1.101", "userid": "cinder", "password": "secrete",
> "virtual_host": "/cinder", "port": 5672, "insist": false, "ssl":
> false, "transport": "amqp", "connect_timeout": 5, "transport_
> {"on_blocked": "<function _on_connection_
> "on_unblocked": "<function _on_connection_
> 0x7fb2fc328320>", "client_
> volume:
> {"connection.
> "consumer_
> "login_method": "AMQPLAIN", "uri_prefix": null, "heartbeat": 60.0,
> "failover_
> 54048, "connection_id": "b956eec0-
> "process_name": "MainProcess", "name":
> "oslo.messaging
> "created": 1534331433.087702, "traceback": null, "msecs":
> 87.70203590393066, "funcname": "on_reconnection", "pathname":
> "/openstack/
> packages/
> "levelname": "INFO"}
>
> Aug 15 11:10:33 ubuntu-
> volume[23478]: {"thread_name": "GreenThread-2", "extra": {"project":
> null, "version": "unknown"}, "process": 23478, "relative_created":
> 2235847.9709625244, "module": "impl_rabbit", "message":
> "[a2a29ff1-
> is unreachable: [Errno 32] Broken pipe. Trying again in 1 seconds.",
> "hostname": "ubuntu-
> "impl_rabbit.py", "levelno": 40, "lineno": 751, "asctime": "2018-08-15
> 11:10:33", "msg": "[%(connection_
> %(hostname)
> %(sleep_time)d seconds.", "error_summary": "error: [Errno 32] Broken
> pipe", "args": {"transport_
> _on_connection_
> _on_connection_
> {"connection_name": "cinder-
> volume:
> {"connection.
> "consumer_
> "failover_
> "a2a29ff1-
> "client_port": null, "password": "secrete", "port": 5672, "transport":
> "amqp", "alternates": [], "err_str": "error(32, 'Broken pipe')",
> "login_method": "AMQPLAIN", "hostname": "10.1.1.101", "userid":
> "cinder", "connect_timeout": 5, "virtual_host": "/cinder",
> "heartbeat": 60.0, "uri_prefix": null, "sleep_time": 1.0},
> "process_name": "MainProcess", "name":
> "oslo.messaging
> "created": 1534331433.106044, "traceback": null, "msecs":
> 106.04405403137207, "funcname": "on_error", "pathname":
> "/openstack/
> packages/
> {"domain": null, "project_name": null, "global_
> "project_domain": null, "timestamp": "2018-08-
> "user_domain_name": null, "remote_address": null, "quota_class": null,
> "resource_uuid": null, "is_admin": true, "user": null,
> "service_catalog": [], "domain_id": null, "tenant": null, "read_only":
> false, "user_domain": null, "user_id": null, "show_deleted": false,
> "system_scope": null, "user_identity": "- - - - -", "domain_name":
> null, "is_admin_project": true, "project": null, "read_deleted": "no",
> "request_id": "req-e0d7fde8-
> ["admin"], "project_id": null, "user_name": null, "auth_token": null,
> "project_
>
> It looks like it is all happening here:
>
>
> https:/
>
> More specifically, getting it from this function:
>
>
> https:/
>
> going up the stack..
>
>
> https:/
>
> going further up where self.connection is defined
>
>
> https:/
>
> going all the way up to kombu
>
>
> https:/
>
> and this is where the leaked data comes from..
>
>
> https:/
>
> To manage notifications about this bug go to:
> https:/
>
--
Ken Giusti (<email address hidden>)