[openstack-dev] [cinder] CHAP secret is visible in cinder volume log

Walter A. Boring IV walter.boring at hp.com
Thu Apr 16 17:25:18 UTC 2015


Can you please file a defect for this against cinder and os-brick.
I'll fix it ASAP.


Walt
> Hi,
>
> I am wondering why screen-c-vol.log is displaying the CHAP secret.
>
> Logs:
>
> 2015-04-16 16:04:23.288 7306 DEBUG oslo_concurrency.processutils 
> [req-23c699df-7b21-48d2-ba14-d8ed06642050 
> ce8dccba9ccf48fb956060b3e54187a2 4ad219788df049e0b131e17f603d5faa - - 
> -] CMD "sudo cinder-rootwrap /etc/cinder/rootwrap.conf iscsiadm -m 
> node -T iqn.2015-04.acc1.tsm1:acc171fe6fc15fcc4bd4a841594b7876e3df -p 
> 192.10.44.48:3260 <http://192.10.44.48:3260> --op update 
> -n*node.session.auth.password -v ***" returned:* 0 in 0.088s execute 
> /usr/local/lib/python2.7/dist-packages/oslo_concurrency/processutils.py:225
>
> Above log hides the secret.
>
> 2015-04-16 16:04:23.290 7306 DEBUG cinder.brick.initiator.connector 
> [req-23c699df-7b21-48d2-ba14-d8ed06642050 
> ce8dccba9ccf48fb956060b3e54187a2 4ad219788df049e0b131e17f603d5faa - - 
> -] *iscsiadm ('--op', 'update', '-n', 'node.session.auth.password', 
> '-v', u'fakeauthgroupchapsecret')*: stdout= stderr= _run_iscsiadm 
> /opt/stack/cinder/cinder/brick/initiator/connector.py:455
>
> However, this one does not hide the secret.
>
> In addition, i find that the CHAP credentials are stored as plain 
> string the database table (volumes).
>
> I guess these are security risks in the current implementation. Any 
> comments ?
>
>
> Regards,
> Yogesh
> /CloudByte Inc./ <http://www.cloudbyte.com/>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150416/6a7e4ff9/attachment.html>


More information about the OpenStack-dev mailing list