neutronclient debug logging includes keystone auth token
Bug #1320098 reported by
Xu Han Peng
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-neutronclient |
Fix Released
|
Medium
|
Feng Ju |
Bug Description
neutronclient is logging the auth token in the nova logs. Since the logs are world-readable, this means anyone user on this system can see the auth token, which they can then use to get OpenStack administrator access.
information type: | Private Security → Public |
Changed in neutron: | |
assignee: | nobody → Xu Han Peng (xuhanp) |
Changed in neutron: | |
status: | New → In Progress |
affects: | neutron → python-neutronclient |
Changed in python-neutronclient: | |
importance: | Undecided → Medium |
tags: | added: security |
Changed in python-neutronclient: | |
assignee: | Xu Han Peng (xuhanp) → Feng Ju (jufeng) |
Changed in python-neutronclient: | |
assignee: | Feng Ju (jufeng) → Xu Han Peng (xuhanp) |
Changed in python-neutronclient: | |
assignee: | Xu Han Peng (xuhanp) → Feng Ju (jufeng) |
To post a comment you must log in.
This is similar one bug in keystone: bug #1004114
Dolph Mathews commited at this bug's patch: "why would a production environment have debug enabled?"
I think this bug maybe need reconsider.