[Openstack-security] [Bug 1321080] Change abandoned on ceilometer (master)

OpenStack Infra 1321080 at bugs.launchpad.net
Fri Jun 6 13:25:06 UTC 2014


Change abandoned by gordon chung (chungg at ca.ibm.com) on branch: master
Review: https://review.openstack.org/96943
Reason: this code doesn't work against master due to switch to oslo.messaging. abandoning for this bug fix: https://bugs.launchpad.net/ceilometer/+bug/1327084

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1321080

Title:
  auth token is exposed in meter http.request

Status in OpenStack Telemetry (Ceilometer):
  In Progress
Status in OpenStack Neutron (virtual network service):
  In Progress
Status in Oslo - a Library of Common OpenStack Code:
  Fix Committed
Status in OpenStack Security Advisories:
  Confirmed
Status in pyCADF:
  Fix Committed

Bug description:
  auth token is exposed in meter http.request

  # curl -i -X GET -H 'X-Auth-Token: 258ab6539b3b4eae8b3af307b8f5eadd'
  -H 'Content-Type: application/json' -H 'Accept: application/json' -H
  'User-Agent: python-ceilometerclient'
  http://0.0.0.0:8777/v2/meters/http.request

  -----------
  snip..
  {"counter_name": "http.request", "user_id": "0", "resource_id": "ip-9-37-74-33:8774", "timestamp": "2014-05-16T17:42:16.851000", "recorded_at": "2014-05-16T17:42:17.039000", "resource_metadata": {"request.CADF_EVENT:initiator:host:address": "9.44.143.6", "request.CADF_EVENT:initiator:credential:token": "4724 xxxxxxxx 8478", "request.RAW_PATH_INFO": "/v2/9af97e383dad44969bd650ebd55edfe0/servers/060c76a5-0031-430d-aa1e-01f9b3db234b", "request.REQUEST_METHOD": "DELETE", "event_type": "http.request", "request.HTTP_X_TENANT_ID": "9af97e383dad44969bd650ebd55edfe0", "request.CADF_EVENT:typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event", "request.HTTP_X_PROJECT_NAME": "ibm-default", "host": "nova-api", "request.SERVER_PORT": "8774", "request.REMOTE_PORT": "55258", "request.HTTP_X_USER_ID": "0", "request.HTTP_X_AUTH_TOKEN": "4724d3dd6b984079a58eecf406298478", "request.CADF_EVENT:action": "delete", "request.CADF_EVENT:target:typeURI": "service/compute/servers/server", "request.HTTP_USER_AGENT": "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0",
  snip...

  auth token is masked in "request.CADF_EVENT:initiator:credential:token": "4724 xxxxxxxx 8478".
  But it is exposed in  "request.HTTP_X_AUTH_TOKEN": "4724d3dd6b984079a58eecf406298478"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ceilometer/+bug/1321080/+subscriptions




More information about the Openstack-security mailing list