[Openstack-security] [Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled

OpenStack Infra 1465922 at bugs.launchpad.net
Mon Jul 13 19:47:15 UTC 2015 

Reviewed:  https://review.openstack.org/193695
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=fbdb100e656b19958589fa659bf9d95303e76ab8
Submitter: Jenkins
Branch:    master

commit fbdb100e656b19958589fa659bf9d95303e76ab8
Author: Brant Knudson <bknudson at us.ibm.com>
Date:   Fri Jun 19 14:18:18 2015 -0500

    Mask passwords in debug log on user password operations
    
    When a user is created, they change their password, or admin
    changes their password and debug logging is enabled, the value of
    the user's password was logged. The value should be masked.
    
    Change-Id: I07b7441378fb630f01204d6b656b218f6b94dd5a
    Closes-Bug: #1465922


** Changed in: keystone
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1465922

Title:
  Password visible in clear text in keystone.log when user created and
  keystone debug logging is enabled

Status in Keystone:
  Fix Committed
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  grep CLEARTEXTPASSWORD keystone.log

  2015-06-16 06:44:39.770 20986 DEBUG keystone.common.controller [-]
  RBAC: Authorizing identity:create_user(user={u'domain_id': u'default',
  u'password': u'CLEARTEXTPASSWORD', u'enabled': True,
  u'default_project_id': u'0175b43419064ae38c4b74006baaeb8d', u'name':
  u'DermotJ'}) _build_policy_check_credentials /usr/lib/python2.7/site-
  packages/keystone/common/controller.py:57

  Issue code:
  https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L57

      LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
          'action': action,
          'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})

  Shadow the values of sensitive fields like 'password' by some
  meaningless garbled text like "XXXXX" is one way to fix.

  Well, in addition to this, I think we should never pass the 'password'
  with its original value along the code and save it in any persistence,
  instead we should convert it to a strong hash value as early as
  possible. With the help of a good hash system, we never have to need
  the original value of the password, right?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1465922/+subscriptions

More information about the Openstack-security mailing list