[Openstack-security] [Bug 1371355] Re: Keystone client logs x-subject-token at the debug log level

Morgan Fainberg morgan.fainberg at gmail.com
Fri Sep 26 23:38:48 UTC 2014 

** Changed in: python-keystoneclient
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1371355

Title:
  Keystone client logs x-subject-token at the debug log level

Status in OpenStack Security Advisories:
  Won't Fix
Status in Python client library for Keystone:
  In Progress

Bug description:
  When you invoke any OpenStack API of any of the OpenStack services
  listed below, then it logs readable x-subject-token as a debug log
  message in the respective log file.

  x-subject-token is introduced in v3, so only setups using v3 keystone
  apis are affected.

  
  All OpenStack services using keystone client for authentication and debug log level are affected
  Service affected are:
  glance
  neutron
  cinder
  heat
  ceilometer
  nova
  keystone
  neutron

  
  Example, I tried to list servers from nova using "nova list” command, then it records following log message in the nova-api.log

  nova-api.log
  {{{
  2014-09-18 15:48:14.491 20940 DEBUG keystoneclient.session [-] REQ: curl -i -X GET http://10.69.4.172:35357/v3/auth/tokens -H "X-Subject-Token: TOKEN_REDACTED" -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: TOKEN_REDACTED" _http_log_request /opt/stack/python-keystoneclient/keystoneclient/session.py:153

  2014-09-18 15:48:14.533 20940 DEBUG keystoneclient.session [-] RESP: [200] CaseInsensitiveDict({'content-length': '7113', 'x-subject-token': '7574276dc55f45878f18e14396dcf7f5', 'vary': 'X-Auth-Token', 'server': 'Apache/2.4.7 (Ubuntu)', 'date': 'Thu, 18 Sep 2014 22:48:14 GMT', 'content-type': 'application/json’})
  }}}

  
  I can then simply use x-subject-token': ‘7574276dc55f45878f18e14396dcf7f5 as X-auth-token in the curl command and access tenant’s information.

  {{{
  openstack at ubuntu:~$ curl -i 'http://10.69.4.172:8774/v2/d8a8252b035b4c18bee9215292485f78/servers/detail' -X GET -H "Accept: application/json" -H "X-Auth-Project-Id: demo" -H "X-Auth-Token: 7574276dc55f45878f18e14396dcf7f5"

  HTTP/1.1 200 OK
  Content-Type: application/json
  Content-Length: 15
  X-Compute-Request-Id: req-20ad9134-0c61-46de-91a1-da89283a057d
  Date: Thu, 18 Sep 2014 22:58:56 GMT
  {"servers": []}

  }}}

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1371355/+subscriptions

More information about the Openstack-security mailing list