Comment 0 for bug 1655781

Rahul U Nair (rahulunair) wrote :

Auth tokens logged by proxy and object server if the swauth[1] authentication middleware is used.

Swift object store and proxy server is saving tokens retrieved from middleware authentication mechanism (swauth) to log file

Steps to trigger the issue:

1. Enable `swauth` authentication middleware
2. Retieve token using:

```
swift -A http://127.0.0.1:8080/auth/v1.0 -U test:tester -K testing stat -v
```

Logs written when the above command is excecuted has the token as well:

```
Jan 11 22:51:22 ubuntu-xenial object-6030: 127.0.0.1 - - [11/Jan/2017:22:51:22 +0000] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" 200 194 "GET http://127.0.0.1:8080/v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" "txfbebdc4d5b7f48b285132-005876b6ea" "proxy-server 31555" 0.0152 "-" 28646 0
Jan 11 22:51:22 ubuntu-xenial proxy-server: - - 11/Jan/2017/22/51/22 GET /v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.0 200 - python-swiftclient-3.2.1.dev9%20Swauth - - 194 - txfbebdc4d5b7f48b285132-005876b6ea - 0.1124 SWTH - 1484175082.315428972 1484175082.427867889 0
Jan 11 22:51:22 ubuntu-xenial object-6030: STDERR: 127.0.0.1 - - [11/Jan/2017 22:51:22] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.1" 200 579 0.028552 (txn: txfbebdc4d5b7f48b285132-005876b6ea)
```

3. After retrieving the token from the logfile, I was able to execute this command as below,

```
curl -i http://127.0.0.1:8080/v1/AUTH_d7f474ad-bfd1-47d4-a41c-8c727b3b5254?format=json -X GET -H "Accept-Encoding: gzip" -H "X-Auth-Token: AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0"
```

The output obtained:

```
HTTP/1.1 200 OK
Content-Length: 2
Accept-Ranges: bytes
X-Timestamp: 1484167500.58887
X-Account-Bytes-Used: 0
X-Account-Container-Count: 0
Content-Type: application/json; charset=utf-8
X-Account-Object-Count: 0
X-Trans-Id: txbd83d5254a404647bb086-005876ba2a
X-Openstack-Request-Id: txbd83d5254a404647bb086-005876ba2a
Date: Wed, 11 Jan 2017 23:05:14 GMT
```

As, swift has the ability to add any middleware for authentication, swauth is officially part of OpenStack project[1], the token should not be logged. I suspect this issue would be there for any authentication middleware and is a security issue.

[1]. https://github.com/openstack/swauth