[Openstack-security] [openstack/python-keystoneclient] SecurityImpact review request change Ifeca3056b8552d4b78845e97ddc25f00c49950de

gerrit2 at review.openstack.org gerrit2 at review.openstack.org
Mon Jul 14 22:56:55 UTC 2014


Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/106890

Log:
commit f39399276762369fd232b28a7bd5a42a999a00ff
Author: Brant Knudson <bknudson at us.ibm.com>
Date:   Mon Jul 14 17:08:07 2014 -0500

    Do not expose Token IDs in debug output
    
    It is only very slightly less of a security issue to expose
    Token IDs in the logs than it is to expose password details. This
    change obscures the Token ID in the debug output in all cases to
    ensure that the ID is not presented in any of the logs that could
    be read by a unprivileged source (e.g. lower priv log watchers,
    centralized logging, etc).
    
    The main use case is to ensure that it is possible to correlate a
    token to the various requests made. In some cases this has shown
    where a token has expired (tokens weren't properly refreshed).
    This use case for debugging eliminates simple redaction of the
    token id from the logs.
    
    SHA1 is no longer allowed as a hashing mode for CMS token hashing.
    This is because SHA1 is being used to obscure tokens in the
    session object debug. This is done to  prevent the debug output
    from being potentially exposing a valid token (PKI->sha1-short-id)
    in some configurations of Keystone / auth_token middleware.
    
    The raw data elements from the token (e.g. user, roles, expiration
    etc) could be added into debug/trace level logging at a future time.
    
    SecurityImpact
    
    Change-Id: Ifeca3056b8552d4b78845e97ddc25f00c49950de





More information about the Openstack-security mailing list