oslo.utils

Storwize SVC: Logging chap secret in DEBUG logs

Bug #2038466 reported by Rajat Dhasmana on 2023-10-04

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	New	Undecided	Rajat Dhasmana
	oslo.utils	Fix Released	Medium	Rajat Dhasmana

Bug Description

When debug log is enabled, the IBM Storwize SVC driver logs the chap secret when executing the chhost command[1].

This is logged in oslo.concurrency[2].

The problem here seems to be that the chapsecret key is not in the list of sanitize keys in mask_password method of oslo utils[3]

DEBUG oslo_concurrency.processutils [] Running cmd (SSH): svctask chhost -chapsecret <secret> <host> ssh_execute /usr/lib/python3.9/site-packages/oslo_concurrency/processutils.py:542

[1] https://opendev.org/openstack/cinder/src/commit/95630360b2091409dc35eebd86d51d9aad2ab0fc/cinder/volume/drivers/ibm/storwize_svc/storwize_svc_common.py#L314

[2] https://opendev.org/openstack/oslo.concurrency/src/commit/774f604c16b47ad4ce47e6390ec30f9fc8f30c67/oslo_concurrency/processutils.py#L542

[3] https://opendev.org/openstack/oslo.utils/src/commit/a122f5c065c346c9ca2218a9131a2a352e6b380f/oslo_utils/strutils.py#L69-L79

See original description

Rajat Dhasmana (whoami-rajat) on 2023-10-04

Changed in cinder:
assignee:	nobody → Rajat Dhasmana (whoami-rajat)
description:	updated

Revision history for this message

Takashi Kajinami (kajinamit) wrote on 2023-10-06:

Fix was proposed to oslo.utils https://review.opendev.org/c/openstack/oslo.utils/+/897354

Changed in oslo.utils:
assignee:	nobody → Rajat Dhasmana (whoami-rajat)
importance:	Undecided → Medium
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-10-19: Fix merged to oslo.utils (master)

Reviewed: https://review.opendev.org/c/openstack/oslo.utils/+/897354
Committed: https://opendev.org/openstack/oslo.utils/commit/cecf061e6e4f666104170e3bba93fdae24255309
Submitter: "Zuul (22348)"
Branch: master

commit cecf061e6e4f666104170e3bba93fdae24255309
Author: whoami-rajat <email address hidden>
Date: Wed Oct 4 17:42:31 2023 +0000

Mask chapsecret

    Doesn't mask chapsecre
    >>> strutils.mask_password("'chapsecre' : 'aaaaa'")
    "'chapsecre' : 'aaaaa'"

    Masks chapsecret
    >>> strutils.mask_password("'chapsecret' : 'aaaaa'")
    "'chapsecret' : '***'"

Closes-Bug: #2038466
Change-Id: Iae22a544ff69069b1b82b6ab3a885f3a19869287

Changed in oslo.utils:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-11-09: Fix included in openstack/oslo.utils 6.3.0

This issue was fixed in the openstack/oslo.utils 6.3.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.