[Openstack-security] [Bug 1490693] Re: session fails to sanitize response body of passwords
OpenStack Infra
1490693 at bugs.launchpad.net
Thu Sep 3 20:29:13 UTC 2015
Reviewed: https://review.openstack.org/219004
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=3e26ff824801d5084791a52980021784e794e35f
Submitter: Jenkins
Branch: master
commit 3e26ff824801d5084791a52980021784e794e35f
Author: Matt Riedemann <mriedem at us.ibm.com>
Date: Mon Aug 31 12:32:25 2015 -0700
Mask passwords when logging the HTTP response
We should sanitize the response body before logging to make sure we
aren't leaking through credentials like in the case of the response from
the os-initialize_connection volume API.
Closes-Bug: #1490693
Change-Id: Ifd95d3fb624b4636fb72cc11762af62e00a026a0
** Changed in: python-keystoneclient
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1490693
Title:
session fails to sanitize response body of passwords
Status in python-keystoneclient:
Fix Committed
Bug description:
Seeing this in the n-cpu logs when nova calls the os-
initialize_connection API via python-cinderclient and cinder returns a
response body with credentials in it:
http://logs.openstack.org/66/218666/1/check/gate-tempest-dsvm-
full/3ac1f2b/logs/screen-n-cpu.txt.gz#_2015-08-30_16_33_09_578
keystoneclient.session is logging the response body without sanitizing
it first.
2015-08-30 16:33:09.578 DEBUG keystoneclient.session [req-ff63c358-41b0-4aac-8d8c-e369d82a0d5e tempest-TestMinimumBasicScenario-472140388 tempest-TestMinimumBasicScenario-192291337] REQ: curl -g -i -X POST http://127.0.0.1:8776/v2/8a98625b8c5445afbc72496ce2f7ab7f/volumes/744d2085-8e78-40a5-8659-ef3cffb2480e/action -H "User-Agent: python-cinderclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}fbdcb6c88ebb8ec83181b62e338a1a4b909f7031" -d '{"os-initialize_connection": {"connector": {"initiator": "iqn.1993-08.org.debian:01:f991bccc0", "ip": "172.99.69.228", "platform": "x86_64", "host": "devstack-trusty-rax-iad-4640004", "os_type": "linux2", "multipath": false}}}' _http_log_request /usr/local/lib/python2.7/dist-packages/keystoneclient/session.py:195
2015-08-30 16:33:10.674 DEBUG keystoneclient.session [req-ff63c358-41b0-4aac-8d8c-e369d82a0d5e tempest-TestMinimumBasicScenario-472140388 tempest-TestMinimumBasicScenario-192291337] RESP: [200] content-length: 447 x-compute-request-id: req-747a68eb-f62e-4a43-aa8a-ff332c92783d connection: keep-alive date: Sun, 30 Aug 2015 16:33:10 GMT content-type: application/json x-openstack-request-id: req-747a68eb-f62e-4a43-aa8a-ff332c92783d
RESP BODY: {"connection_info": {"driver_volume_type": "iscsi", "data": {"auth_password": "FF5vCvAvks8iQ2Vx", "target_discovered": false, "encrypted": false, "qos_specs": null, "target_iqn": "iqn.2010-10.org.openstack:volume-744d2085-8e78-40a5-8659-ef3cffb2480e", "target_portal": "172.99.69.228:3260", "volume_id": "744d2085-8e78-40a5-8659-ef3cffb2480e", "target_lun": 1, "access_mode": "rw", "auth_username": "82tvLceDnfHjg6jrTwpq", "auth_method": "CHAP"}}}
To manage notifications about this bug go to:
https://bugs.launchpad.net/python-keystoneclient/+bug/1490693/+subscriptions
More information about the Openstack-security
mailing list