[openstack-dev] [cinder] CHAP secret is visible in cinder volume log

Tristan Cacqueray tristan.cacqueray at enovance.com
Thu Apr 16 13:33:21 UTC 2015

On 04/16/2015 08:54 AM, Yogesh Prasad wrote:
> Hi,
> I am wondering why screen-c-vol.log is displaying the CHAP secret.
> Logs:
> 2015-04-16 16:04:23.288 7306 DEBUG oslo_concurrency.processutils
> [req-23c699df-7b21-48d2-ba14-d8ed06642050 ce8dccba9ccf48fb956060b3e54187a2
> 4ad219788df049e0b131e17f603d5faa - - -] CMD "sudo cinder-rootwrap
> /etc/cinder/rootwrap.conf iscsiadm -m node -T
> iqn.2015-04.acc1.tsm1:acc171fe6fc15fcc4bd4a841594b7876e3df -p
> --op update -n* node.session.auth.password -v ***"
> returned:* 0 in 0.088s execute
> /usr/local/lib/python2.7/dist-packages/oslo_concurrency/processutils.py:225
> Above log hides the secret.
> 2015-04-16 16:04:23.290 7306 DEBUG cinder.brick.initiator.connector
> [req-23c699df-7b21-48d2-ba14-d8ed06642050 ce8dccba9ccf48fb956060b3e54187a2
> 4ad219788df049e0b131e17f603d5faa - - -] *iscsiadm ('--op', 'update', '-n',
> 'node.session.auth.password', '-v', u'fakeauthgroupchapsecret')*: stdout=
> stderr= _run_iscsiadm
> /opt/stack/cinder/cinder/brick/initiator/connector.py:455
> However, this one does not hide the secret.
> In addition, i find that the CHAP credentials are stored as plain string
> the database table (volumes).
> I guess these are security risks in the current implementation. Any
> comments ?

Hi Yogesh,

we can't realistically consider DEBUG logs as a security risks. the real
issue in my opinion is that services are ran in DEBUG mode in production...

Also the database content is also considered sensitive and should not be
available to users.

Though I agree with you and both issues should be considered security
hardening (hide passwords in debug logs and use encrypted storage so
that only the service could decrypt the passwords).

Thanks for raising these issues

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150416/94300251/attachment.pgp>

More information about the OpenStack-dev mailing list