[Openstack-security] [openstack/python-keystoneclient] SecurityImpact review request change Ifeca3056b8552d4b78845e97ddc25f00c49950de
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Tue Jul 15 00:29:29 UTC 2014
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/106890
Log:
commit b7a34b2a155f2bf719df8001b2f69dee26e77d92
Author: Brant Knudson <bknudson at us.ibm.com>
Date: Mon Jul 14 17:08:07 2014 -0500
Do not expose Token IDs in debug output
It is only very slightly less of a security issue to expose
Token IDs in the logs than it is to expose password details. This
change obscures the Token ID in the debug output in all cases to
ensure that the ID is not presented in any of the logs that could
be read by a unprivileged source (e.g. lower priv log watchers,
centralized logging, etc).
The main use case is to ensure that it is possible to correlate a
token to the various requests made. In some cases this has shown
where a token has expired (tokens weren't properly refreshed).
This use case for debugging eliminates simple redaction of the
token id from the logs.
SHA1 is no longer allowed as a hashing mode for CMS token hashing.
This is because SHA1 is being used to obscure tokens in the
session object debug. This is done to prevent the debug output
from being potentially exposing a valid token (PKI->sha1-short-id)
in some configurations of Keystone / auth_token middleware.
The raw data elements from the token (e.g. user, roles, expiration
etc) could be added into debug/trace level logging at a future time.
SecurityImpact
Change-Id: Ifeca3056b8552d4b78845e97ddc25f00c49950de
More information about the Openstack-security
mailing list