[Openstack-security] [Bug 1321080] Re: auth token is exposed in meter http.request

Doug Hellmann doug.hellmann at dreamhost.com
Fri Jun 6 19:24:23 UTC 2014 

The incubator isn't on the OSSA list because the code in the incubator
is copied into other projects that are on the list, and it's assumed
that changes go into the incubator before being released into the
project(s) using the modules.

oslo.messaging and PyCADF are new releases from the oslo program, and
are being added to the list (probably during Juno, but that's not set
for certain).

I'm not certain what uses the notifier middleware. Technically, it's
middleware, so it don't have to be included in a project for a deployer
to use it.

@Gordon, do you have any insight into other projects using the
middleware?

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1321080

Title:
  auth token is exposed in meter http.request

Status in OpenStack Telemetry (Ceilometer):
  In Progress
Status in OpenStack Neutron (virtual network service):
  In Progress
Status in Oslo - a Library of Common OpenStack Code:
  Fix Committed
Status in OpenStack Security Advisories:
  Confirmed
Status in pyCADF:
  Fix Committed

Bug description:
  auth token is exposed in meter http.request

  # curl -i -X GET -H 'X-Auth-Token: 258ab6539b3b4eae8b3af307b8f5eadd'
  -H 'Content-Type: application/json' -H 'Accept: application/json' -H
  'User-Agent: python-ceilometerclient'
  http://0.0.0.0:8777/v2/meters/http.request

  -----------
  snip..
  {"counter_name": "http.request", "user_id": "0", "resource_id": "ip-9-37-74-33:8774", "timestamp": "2014-05-16T17:42:16.851000", "recorded_at": "2014-05-16T17:42:17.039000", "resource_metadata": {"request.CADF_EVENT:initiator:host:address": "9.44.143.6", "request.CADF_EVENT:initiator:credential:token": "4724 xxxxxxxx 8478", "request.RAW_PATH_INFO": "/v2/9af97e383dad44969bd650ebd55edfe0/servers/060c76a5-0031-430d-aa1e-01f9b3db234b", "request.REQUEST_METHOD": "DELETE", "event_type": "http.request", "request.HTTP_X_TENANT_ID": "9af97e383dad44969bd650ebd55edfe0", "request.CADF_EVENT:typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event", "request.HTTP_X_PROJECT_NAME": "ibm-default", "host": "nova-api", "request.SERVER_PORT": "8774", "request.REMOTE_PORT": "55258", "request.HTTP_X_USER_ID": "0", "request.HTTP_X_AUTH_TOKEN": "4724d3dd6b984079a58eecf406298478", "request.CADF_EVENT:action": "delete", "request.CADF_EVENT:target:typeURI": "service/compute/servers/server", "request.HTTP_USER_AGENT": "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0",
  snip...

  auth token is masked in "request.CADF_EVENT:initiator:credential:token": "4724 xxxxxxxx 8478".
  But it is exposed in  "request.HTTP_X_AUTH_TOKEN": "4724d3dd6b984079a58eecf406298478"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ceilometer/+bug/1321080/+subscriptions

More information about the Openstack-security mailing list