<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">I went ahead and filed a bug, and I
have 2 fixes posted up already that<br>
mirror's how nova fixed this issue in the libvirt volume driver
for iSCSI.<br>
<br>
<a class="moz-txt-link-freetext" href="https://bugs.launchpad.net/os-brick/+bug/1445137">https://bugs.launchpad.net/os-brick/+bug/1445137</a><br>
<br>
Walt<br>
<br>
On 04/16/2015 05:54 AM, Yogesh Prasad wrote:<br>
</div>
<blockquote
cite="mid:CALQuZPwXOUCDso_5LSHErUCs6YUP-H7W+FQYuho4PrS44hS6Hw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default" style="">
<div class="gmail_default" style=""><font face="trebuchet ms,
sans-serif">Hi,</font></div>
<div class="gmail_default" style=""><font face="trebuchet ms,
sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font face="trebuchet ms,
sans-serif">I am wondering why screen-c-vol.log is
displaying the CHAP secret.</font></div>
<div class="gmail_default" style=""><font face="trebuchet ms,
sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font face="trebuchet ms,
sans-serif">Logs:</font></div>
<div class="gmail_default" style=""><font face="trebuchet ms,
sans-serif"><br>
</font></div>
<div class="gmail_default" style=""><font face="trebuchet ms,
sans-serif">
<div class="gmail_default">2015-04-16 16:04:23.288 7306
DEBUG oslo_concurrency.processutils
[req-23c699df-7b21-48d2-ba14-d8ed06642050
ce8dccba9ccf48fb956060b3e54187a2
4ad219788df049e0b131e17f603d5faa - - -] CMD "sudo
cinder-rootwrap /etc/cinder/rootwrap.conf iscsiadm -m
node -T
iqn.2015-04.acc1.tsm1:acc171fe6fc15fcc4bd4a841594b7876e3df
-p <a moz-do-not-send="true"
href="http://192.10.44.48:3260">192.10.44.48:3260</a>
--op update -n<b><font color="#38761d"> </font><font
color="#0000ff">node.session.auth.password -v ***"
returned</font><font color="#741b47">:</font></b> 0
in 0.088s execute
/usr/local/lib/python2.7/dist-packages/oslo_concurrency/processutils.py:225</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">Above log hides the secret.</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">2015-04-16 16:04:23.290 7306
DEBUG cinder.brick.initiator.connector
[req-23c699df-7b21-48d2-ba14-d8ed06642050
ce8dccba9ccf48fb956060b3e54187a2
4ad219788df049e0b131e17f603d5faa - - -] <font
color="#0000ff"><b>iscsiadm ('--op', 'update', '-n',
'node.session.auth.password', '-v',
u'fakeauthgroupchapsecret')</b></font>: stdout=
stderr= _run_iscsiadm
/opt/stack/cinder/cinder/brick/initiator/connector.py:455</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">However, this one does not hide
the secret.</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">In addition, i find that the
CHAP credentials are stored as plain string the database
table (volumes).</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">I guess these are security
risks in the current implementation. Any comments ?</div>
<div class="gmail_default"><br>
</div>
</font></div>
<div class="gmail_default" style=""><font face="trebuchet ms,
sans-serif"><br>
</font></div>
</div>
<div>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px"><font
face="trebuchet ms, sans-serif" color="#000000">Regards,</font></div>
<font face="trebuchet ms, sans-serif"
color="#000000">Yogesh</font><br>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px"><a
moz-do-not-send="true"
href="http://www.cloudbyte.com/"
style="color:rgb(17,85,204)" target="_blank"><font
face="trebuchet ms, sans-serif"
color="#0000ff"><i>CloudByte Inc.</i></font></a></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>