[openstack-dev] [cinder] CHAP secret is visible in cinder volume log

Yogesh Prasad yogesh.prasad at cloudbyte.com
Thu Apr 16 12:54:08 UTC 2015


I am wondering why screen-c-vol.log is displaying the CHAP secret.


2015-04-16 16:04:23.288 7306 DEBUG oslo_concurrency.processutils
[req-23c699df-7b21-48d2-ba14-d8ed06642050 ce8dccba9ccf48fb956060b3e54187a2
4ad219788df049e0b131e17f603d5faa - - -] CMD "sudo cinder-rootwrap
/etc/cinder/rootwrap.conf iscsiadm -m node -T
iqn.2015-04.acc1.tsm1:acc171fe6fc15fcc4bd4a841594b7876e3df -p --op update -n* node.session.auth.password -v ***"
returned:* 0 in 0.088s execute

Above log hides the secret.

2015-04-16 16:04:23.290 7306 DEBUG cinder.brick.initiator.connector
[req-23c699df-7b21-48d2-ba14-d8ed06642050 ce8dccba9ccf48fb956060b3e54187a2
4ad219788df049e0b131e17f603d5faa - - -] *iscsiadm ('--op', 'update', '-n',
'node.session.auth.password', '-v', u'fakeauthgroupchapsecret')*: stdout=
stderr= _run_iscsiadm

However, this one does not hide the secret.

In addition, i find that the CHAP credentials are stored as plain string
the database table (volumes).

I guess these are security risks in the current implementation. Any
comments ?

*CloudByte Inc.* <http://www.cloudbyte.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150416/f92c79d7/attachment.html>

More information about the OpenStack-dev mailing list