[Openstack-security] [Bug 1371355] Re: Keystone client logs x-subject-token at the debug log level

OpenStack Infra 1371355 at bugs.launchpad.net
Tue Sep 30 13:53:41 UTC 2014 

Reviewed:  https://review.openstack.org/123954
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=ebeca911fa291e258c2c0b1ef55a26ff5ac009d2
Submitter: Jenkins
Branch:    master

commit ebeca911fa291e258c2c0b1ef55a26ff5ac009d2
Author: ankitagrawal <ankit11.agrawal at nttdata.com>
Date:   Fri Sep 19 04:46:11 2014 -0700

    Redact x-subject-token from response headers
    
    When you invoke any OpenStack API of any of the OpenStack services
    e.g. glance, neutron, cinder, heat, ceilometer, nova, keystone
    then it logs readable x-subject-token at the debug log level in the
    respective log files.
    
    Simply redacting the x-subject-token in keystone client response header
    before logging it.
    
    SecurityImpact
    Closes-Bug: #1371355
    Change-Id: Iac16c6358250677544761beea9f5c5d8ba29afac


** Changed in: python-keystoneclient
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1371355

Title:
  Keystone client logs x-subject-token at the debug log level

Status in OpenStack Security Advisories:
  Won't Fix
Status in Python client library for Keystone:
  Fix Committed

Bug description:
  When you invoke any OpenStack API of any of the OpenStack services
  listed below, then it logs readable x-subject-token as a debug log
  message in the respective log file.

  x-subject-token is introduced in v3, so only setups using v3 keystone
  apis are affected.

  
  All OpenStack services using keystone client for authentication and debug log level are affected
  Service affected are:
  glance
  neutron
  cinder
  heat
  ceilometer
  nova
  keystone
  neutron

  
  Example, I tried to list servers from nova using "nova list” command, then it records following log message in the nova-api.log

  nova-api.log
  {{{
  2014-09-18 15:48:14.491 20940 DEBUG keystoneclient.session [-] REQ: curl -i -X GET http://10.69.4.172:35357/v3/auth/tokens -H "X-Subject-Token: TOKEN_REDACTED" -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: TOKEN_REDACTED" _http_log_request /opt/stack/python-keystoneclient/keystoneclient/session.py:153

  2014-09-18 15:48:14.533 20940 DEBUG keystoneclient.session [-] RESP: [200] CaseInsensitiveDict({'content-length': '7113', 'x-subject-token': '7574276dc55f45878f18e14396dcf7f5', 'vary': 'X-Auth-Token', 'server': 'Apache/2.4.7 (Ubuntu)', 'date': 'Thu, 18 Sep 2014 22:48:14 GMT', 'content-type': 'application/json’})
  }}}

  
  I can then simply use x-subject-token': ‘7574276dc55f45878f18e14396dcf7f5 as X-auth-token in the curl command and access tenant’s information.

  {{{
  openstack at ubuntu:~$ curl -i 'http://10.69.4.172:8774/v2/d8a8252b035b4c18bee9215292485f78/servers/detail' -X GET -H "Accept: application/json" -H "X-Auth-Project-Id: demo" -H "X-Auth-Token: 7574276dc55f45878f18e14396dcf7f5"

  HTTP/1.1 200 OK
  Content-Type: application/json
  Content-Length: 15
  X-Compute-Request-Id: req-20ad9134-0c61-46de-91a1-da89283a057d
  Date: Thu, 18 Sep 2014 22:58:56 GMT
  {"servers": []}

  }}}

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1371355/+subscriptions

More information about the Openstack-security mailing list