[Openstack-security] [Bug 1328488] Re: oslo apiclient logs sensitive data

Thierry Carrez thierry.carrez+lp at gmail.com
Thu Apr 30 07:59:25 UTC 2015


** Changed in: oslo-incubator
    Milestone: kilo-1 => 2015.1.0

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1328488

Title:
  oslo apiclient logs sensitive data

Status in The Oslo library incubator:
  Fix Released
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  When trying to clean up the tempest logs in the gate, we leak
  passwords and keystone tokens everywhere. For instance, python-
  novaclient logs the auth token.

  What's more problematic though is that apiclient does the following:

      def _http_log_req(self, method, url, kwargs):
          if not self.debug:
              return

          string_parts = [
              "curl -i",
              "-X '%s'" % method,
              "'%s'" % url,
          ]

          for element in kwargs['headers']:
              header = "-H '%s: %s'" % (element, kwargs['headers'][element])
              string_parts.append(header)

          _logger.debug("REQ: %s" % " ".join(string_parts))
          if 'data' in kwargs:
              _logger.debug("REQ BODY: %s\n" % (kwargs['data']))

  The argument that it's at DEBUG level doesn't hold, because from the
  Atlanta operators summit it was clear that *all* operators are running
  their servers at DEBUG, because OpenStack is impossible to actually
  troubleshoot at any other logging level. And if you run neutron at
  debug level, then all your nova credentials are in your logs.

  This is coupled with the fact that a large amount of users are
  streaming all their logs directly into logstash. Which means they've
  now got a potentially public endpoint that lets them search for
  credentials.

  We need to stop doing that in a blanket way across OpenStack.

To manage notifications about this bug go to:
https://bugs.launchpad.net/oslo-incubator/+bug/1328488/+subscriptions




More information about the Openstack-security mailing list