Open Stack

Mon Oct 6 14:42:22 UTC 2014

** Tags added: security

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Information type changed from Public Security to Public

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1375599

Title:
  Cinder should not publish sensitive data such as user token in
  notifications.

Status in Cinder:
  New
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  Here is a message captured in rabbitmq:

  ctxt: {u'domain': None, u'project_name': u'admin', u'user_id': u'f6fafd3282a841849a01beeb80fd3161', u'roles': [u'heat_stack_owner', u'_member_', u'admin'], u'user_identity': u'f6fafd3282a841849a01beeb80fd3161 d6acdbfa2bba426c912f214c665e78d9 - - -', u'project_domain': None, u'timestamp': u'2014-09-25T07:01:02.936829', u'auth_token': u'bac7c01f4eb1412b841ab819ceddc5ad', u'remote_address': u'19.0.0.99', u'quota_class': None, u'project_id': u'd6acdbfa2bba426c912f214c665e78d9', u'is_admin': True, u'user': u'f6fafd3282a841849a01beeb80fd3161', u'service_catalog': [{u'endpoints': [{u'adminURL': u'http://19.0.0.99:8774/v2/d6acdbfa2bba426c912f214c665e78d9', u'region': u'RegionOne', u'internalURL': u'http://19.0.0.99:8774/v2/d6acdbfa2bba426c912f214c665e78d9', u'publicURL': u'http://19.0.0.99:8774/v2/d6acdbfa2bba426c912f214c665e78d9'}], u'type': u'compute', u'name': u'nova'}], u'request_id': u'req-623ecb62-0660-4264-b0d3-04eb13f54914', u'user_domain': None, u'read_deleted': u'no', u'tenant': u'd6acdbfa2bba426c912f214c665e78d9'}
  publisher_id: volume.aj-celiometer at lvmdriver-1
  event_type: volume.delete.end
  payload: {u'status': u'deleting', u'instance_uuid': None, u'user_id': u'f6fafd3282a841849a01beeb80fd3161', u'availability_zone': u'nova', u'tenant_id': u'd6acdbfa2bba426c912f214c665e78d9', u'created_at': u'2014-09-24 14:11:42', u'snapshot_id': None, u'volume_type': u'0bc2a44a-fd19-4448-8399-1538fc8724e5', u'host': u'aj-celiometer at lvmdriver-1#lvmdriver-1', u'replication_status': u'disabled', u'volume_id': u'25102eee-9e82-4ba8-8f8c-17bc52c6519f', u'replication_extended_status': None, u'replication_driver_data': None, u'size': 1, u'launched_at': u'2014-09-24 14:11:42', u'display_name': None}
  metadata: {'timestamp': u'2014-09-25 07:01:19.271715', 'message_id': u'9c77a382-05c2-4014-a1a9-cbc41b2d2eb7'}

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1375599/+subscriptions

Open Stack

[Openstack-security] [Bug 1375599] Re: Cinder should not publish sensitive data such as user token in notifications.

OpenStack

Community

Documentation

Branding & Legal