heat CLI is passing raw username and password for stack-create stack-update and stack-preview
Bug #1408530 reported by
Jamie Lennox
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-heatclient |
Triaged
|
High
|
Unassigned |
Bug Description
When using the CLI or the heatclient directly for every call to stack.create, stack.preview or stack.update the username and password are being transmitted in plaintext to heat as the X-Auth-User and X-Auth-Key headers.
This would seem like a hangover from before trusts being available and heat wanting to authenticate as the current user.
This behaviour ignores the --include-password cli flag.
Changed in python-heatclient: | |
status: | New → Triaged |
importance: | Undecided → High |
information type: | Private Security → Public |
tags: | added: security |
To post a comment you must log in.
I think this will fix it and pass tests. I am having trouble running the local gate at the moment so i haven't done a full integration test.