[openstack-dev] [cinder] CHAP secret is visible in cinder volume log

Yogesh Prasad yogesh.prasad at cloudbyte.com
Fri Apr 17 05:50:38 UTC 2015 

Hi All,

Thanks for your comments, due to time zone difference i was not able to
interact.

Regards,
Yogesh
*CloudByte Inc.* <http://www.cloudbyte.com/>

On Thu, Apr 16, 2015 at 11:19 PM, Mike Perez <thingee at gmail.com> wrote:

> On 09:41 Apr 16, Mike Perez wrote:
> > On 18:24 Apr 16, Yogesh Prasad wrote:
> > > Hi,
> > >
> > > I am wondering why screen-c-vol.log is displaying the CHAP secret.
> > >
> > > Logs:
> > >
> > > 2015-04-16 16:04:23.288 7306 DEBUG oslo_concurrency.processutils
> > > [req-23c699df-7b21-48d2-ba14-d8ed06642050
> ce8dccba9ccf48fb956060b3e54187a2
> > > 4ad219788df049e0b131e17f603d5faa - - -] CMD "sudo cinder-rootwrap
> > > /etc/cinder/rootwrap.conf iscsiadm -m node -T
> > > iqn.2015-04.acc1.tsm1:acc171fe6fc15fcc4bd4a841594b7876e3df -p
> > > 192.10.44.48:3260 --op update -n* node.session.auth.password -v ***"
> > > returned:* 0 in 0.088s execute
> > >
> /usr/local/lib/python2.7/dist-packages/oslo_concurrency/processutils.py:225
> > >
> > > Above log hides the secret.
> > >
> > > 2015-04-16 16:04:23.290 7306 DEBUG cinder.brick.initiator.connector
> > > [req-23c699df-7b21-48d2-ba14-d8ed06642050
> ce8dccba9ccf48fb956060b3e54187a2
> > > 4ad219788df049e0b131e17f603d5faa - - -] *iscsiadm ('--op', 'update',
> '-n',
> > > 'node.session.auth.password', '-v', u'fakeauthgroupchapsecret')*:
> stdout=
> > > stderr= _run_iscsiadm
> > > /opt/stack/cinder/cinder/brick/initiator/connector.py:455
> > >
> > > However, this one does not hide the secret.
> >
> > This is is specifically happening in oslo_concurrency lib. We could add
> 'v' to
> > the sanitize_keys in oslo_utils.strutils, but that seems a bit weird. I'm
> > waiting for someone to get back to me #openstack-oslo on how to best
> deal with
> > this.
>
> Duh thanks Walt.
>
> https://review.openstack.org/174484
> https://review.openstack.org/174485
>
> --
> Mike Perez
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150417/7926a7dc/attachment.html>

More information about the OpenStack-dev mailing list