<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">I went ahead and filed a bug, and I
      have 2 fixes posted up already that<br>
      mirror's how nova fixed this issue in the libvirt volume driver
      for iSCSI.<br>
      <br>
      <a class="moz-txt-link-freetext" href="https://bugs.launchpad.net/os-brick/+bug/1445137">https://bugs.launchpad.net/os-brick/+bug/1445137</a><br>
      <br>
      Walt<br>
      <br>
      On 04/16/2015 05:54 AM, Yogesh Prasad wrote:<br>
    </div>
    <blockquote
cite="mid:CALQuZPwXOUCDso_5LSHErUCs6YUP-H7W+FQYuho4PrS44hS6Hw@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_default" style="">
          <div class="gmail_default" style=""><font face="trebuchet ms,
              sans-serif">Hi,</font></div>
          <div class="gmail_default" style=""><font face="trebuchet ms,
              sans-serif"><br>
            </font></div>
          <div class="gmail_default" style=""><font face="trebuchet ms,
              sans-serif">I am wondering why screen-c-vol.log is
              displaying the CHAP secret.</font></div>
          <div class="gmail_default" style=""><font face="trebuchet ms,
              sans-serif"><br>
            </font></div>
          <div class="gmail_default" style=""><font face="trebuchet ms,
              sans-serif">Logs:</font></div>
          <div class="gmail_default" style=""><font face="trebuchet ms,
              sans-serif"><br>
            </font></div>
          <div class="gmail_default" style=""><font face="trebuchet ms,
              sans-serif">
              <div class="gmail_default">2015-04-16 16:04:23.288 7306
                DEBUG oslo_concurrency.processutils
                [req-23c699df-7b21-48d2-ba14-d8ed06642050
                ce8dccba9ccf48fb956060b3e54187a2
                4ad219788df049e0b131e17f603d5faa - - -] CMD "sudo
                cinder-rootwrap /etc/cinder/rootwrap.conf iscsiadm -m
                node -T
                iqn.2015-04.acc1.tsm1:acc171fe6fc15fcc4bd4a841594b7876e3df
                -p <a moz-do-not-send="true"
                  href="http://192.10.44.48:3260">192.10.44.48:3260</a>
                --op update -n<b><font color="#38761d"> </font><font
                    color="#0000ff">node.session.auth.password -v ***"
                    returned</font><font color="#741b47">:</font></b> 0
                in 0.088s execute
/usr/local/lib/python2.7/dist-packages/oslo_concurrency/processutils.py:225</div>
              <div class="gmail_default"><br>
              </div>
              <div class="gmail_default">Above log hides the secret.</div>
              <div class="gmail_default"><br>
              </div>
              <div class="gmail_default">2015-04-16 16:04:23.290 7306
                DEBUG cinder.brick.initiator.connector
                [req-23c699df-7b21-48d2-ba14-d8ed06642050
                ce8dccba9ccf48fb956060b3e54187a2
                4ad219788df049e0b131e17f603d5faa - - -] <font
                  color="#0000ff"><b>iscsiadm ('--op', 'update', '-n',
                    'node.session.auth.password', '-v',
                    u'fakeauthgroupchapsecret')</b></font>: stdout=
                stderr= _run_iscsiadm
                /opt/stack/cinder/cinder/brick/initiator/connector.py:455</div>
              <div class="gmail_default"><br>
              </div>
              <div class="gmail_default">However, this one does not hide
                the secret.</div>
              <div class="gmail_default"><br>
              </div>
              <div class="gmail_default">In addition, i find that the
                CHAP credentials are stored as plain string the database
                table (volumes).</div>
              <div class="gmail_default"><br>
              </div>
              <div class="gmail_default">I guess these are security
                risks in the current implementation. Any comments ?</div>
              <div class="gmail_default"><br>
              </div>
            </font></div>
          <div class="gmail_default" style=""><font face="trebuchet ms,
              sans-serif"><br>
            </font></div>
        </div>
        <div>
          <div class="gmail_signature">
            <div dir="ltr">
              <div>
                <div dir="ltr">
                  <div>
                    <div
                      style="font-family:arial,sans-serif;font-size:12.8000001907349px"><font
                        face="trebuchet ms, sans-serif" color="#000000">Regards,</font></div>
                    <font face="trebuchet ms, sans-serif"
                      color="#000000">Yogesh</font><br>
                    <div
                      style="font-family:arial,sans-serif;font-size:12.8000001907349px"><a
                        moz-do-not-send="true"
                        href="http://www.cloudbyte.com/"
                        style="color:rgb(17,85,204)" target="_blank"><font
                          face="trebuchet ms, sans-serif"
                          color="#0000ff"><i>CloudByte Inc.</i></font></a></div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
  </body>
</html>