[Openstack-security] [Bug 1321080] Re: auth token is exposed in meter http.request

gordon chung gord at live.ca
Fri Jun 6 20:04:17 UTC 2014 

the original blueprint for notifier middleware is:
https://blueprints.launchpad.net/ceilometer/+spec/count-api-requests.
i'm unaware of anyone using the notifier middleware on its alone. to my
knowledge, the main consumer of notifier middlware is pyCADF (and its
audit middlware).

regarding the audit middleware:

the audit middleware (from oslo-incubator) was synced into Neutron in
icehouse as a side effect of another patch (so it may not even be used).
the audit middleware was also synced into Ceilometer in havana i believe
(to my knowledge it's not used either as pycadf is not a requirement in
Ceilometer)

the audit middleware (from pycadf) was purposely set as a requirement in
Nova in icehouse and is used (it is optionally enabled by deployer).
this audit middleware (from pycadf) did not exist before icehouse.

i'm not aware of any other projects pulling in pyCADF (and it's audit
middleware).

hope this brain dump helps :)

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1321080

Title:
  auth token is exposed in meter http.request

Status in OpenStack Telemetry (Ceilometer):
  In Progress
Status in OpenStack Neutron (virtual network service):
  In Progress
Status in Oslo - a Library of Common OpenStack Code:
  Fix Committed
Status in OpenStack Security Advisories:
  Confirmed
Status in pyCADF:
  Fix Committed

Bug description:
  auth token is exposed in meter http.request

  # curl -i -X GET -H 'X-Auth-Token: 258ab6539b3b4eae8b3af307b8f5eadd'
  -H 'Content-Type: application/json' -H 'Accept: application/json' -H
  'User-Agent: python-ceilometerclient'
  http://0.0.0.0:8777/v2/meters/http.request

  -----------
  snip..
  {"counter_name": "http.request", "user_id": "0", "resource_id": "ip-9-37-74-33:8774", "timestamp": "2014-05-16T17:42:16.851000", "recorded_at": "2014-05-16T17:42:17.039000", "resource_metadata": {"request.CADF_EVENT:initiator:host:address": "9.44.143.6", "request.CADF_EVENT:initiator:credential:token": "4724 xxxxxxxx 8478", "request.RAW_PATH_INFO": "/v2/9af97e383dad44969bd650ebd55edfe0/servers/060c76a5-0031-430d-aa1e-01f9b3db234b", "request.REQUEST_METHOD": "DELETE", "event_type": "http.request", "request.HTTP_X_TENANT_ID": "9af97e383dad44969bd650ebd55edfe0", "request.CADF_EVENT:typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event", "request.HTTP_X_PROJECT_NAME": "ibm-default", "host": "nova-api", "request.SERVER_PORT": "8774", "request.REMOTE_PORT": "55258", "request.HTTP_X_USER_ID": "0", "request.HTTP_X_AUTH_TOKEN": "4724d3dd6b984079a58eecf406298478", "request.CADF_EVENT:action": "delete", "request.CADF_EVENT:target:typeURI": "service/compute/servers/server", "request.HTTP_USER_AGENT": "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0",
  snip...

  auth token is masked in "request.CADF_EVENT:initiator:credential:token": "4724 xxxxxxxx 8478".
  But it is exposed in  "request.HTTP_X_AUTH_TOKEN": "4724d3dd6b984079a58eecf406298478"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ceilometer/+bug/1321080/+subscriptions

More information about the Openstack-security mailing list