[Openstack-security] [openstack/python-keystoneclient] SecurityImpact review request change If5b196a734e7a0f0b3fa892d5c0436812a5bbd85
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Fri Jun 13 21:40:24 UTC 2014
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/99432
Log:
commit 6500d795d58e2c642677547329908ba816ef1463
Author: Morgan Fainberg <morgan.fainberg at gmail.com>
Date: Wed Jun 11 10:13:32 2014 -0700
Do not expose Token IDs in debug output
It is only very slightly less of a security issue to expose
Token IDs in the logs than it is to expose password details. This
change obscures the Token ID in the debug output in all cases to
ensure that the ID is not presented in any of the logs that could
be read by a unprivileged source (e.g. lower priv log watchers,
centralized logging, etc).
The main use case is to ensure that it is possible to correlate a
token to the various requests made. In some cases this has shown
where a token has expired (tokens weren't properly refreshed).
This use case for debugging eliminates simple redaction of the
token id from the logs.
SHA1 is no longer allowed as a hashing mode for CMS token hashing.
This is because SHA1 is being used to obscure tokens in the
session object debug. This is done to prevent the debug output
from being potentially exposing a valid token (PKI->sha1-short-id)
in some configurations of Keystone / auth_token middleware.
The raw data elements from the token (e.g. user, roles, expiration
etc) could be added into debug/trace level logging at a future time.
SecurityImpact
Change-Id: If5b196a734e7a0f0b3fa892d5c0436812a5bbd85
More information about the Openstack-security
mailing list