[openstack-dev] [cinder] CHAP secret is visible in cinder volume log
Mike Perez
thingee at gmail.com
Thu Apr 16 16:41:37 UTC 2015
On 18:24 Apr 16, Yogesh Prasad wrote:
> Hi,
>
> I am wondering why screen-c-vol.log is displaying the CHAP secret.
>
> Logs:
>
> 2015-04-16 16:04:23.288 7306 DEBUG oslo_concurrency.processutils
> [req-23c699df-7b21-48d2-ba14-d8ed06642050 ce8dccba9ccf48fb956060b3e54187a2
> 4ad219788df049e0b131e17f603d5faa - - -] CMD "sudo cinder-rootwrap
> /etc/cinder/rootwrap.conf iscsiadm -m node -T
> iqn.2015-04.acc1.tsm1:acc171fe6fc15fcc4bd4a841594b7876e3df -p
> 192.10.44.48:3260 --op update -n* node.session.auth.password -v ***"
> returned:* 0 in 0.088s execute
> /usr/local/lib/python2.7/dist-packages/oslo_concurrency/processutils.py:225
>
> Above log hides the secret.
>
> 2015-04-16 16:04:23.290 7306 DEBUG cinder.brick.initiator.connector
> [req-23c699df-7b21-48d2-ba14-d8ed06642050 ce8dccba9ccf48fb956060b3e54187a2
> 4ad219788df049e0b131e17f603d5faa - - -] *iscsiadm ('--op', 'update', '-n',
> 'node.session.auth.password', '-v', u'fakeauthgroupchapsecret')*: stdout=
> stderr= _run_iscsiadm
> /opt/stack/cinder/cinder/brick/initiator/connector.py:455
>
> However, this one does not hide the secret.
This is is specifically happening in oslo_concurrency lib. We could add 'v' to
the sanitize_keys in oslo_utils.strutils, but that seems a bit weird. I'm
waiting for someone to get back to me #openstack-oslo on how to best deal with
this.
--
Mike Perez
More information about the OpenStack-dev
mailing list