*** This bug is a duplicate of bug 1761054 ***
https://bugs.launchpad.net/bugs/1761054
Change abandoned by Matt Riedemann (mriedem.os at gmail.com) on branch: master
Review: https://review.openstack.org/466533
Reason: Looks like it was fixed under a different bug https://review.openstack.org/#/c/558694/
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1685678
Title:
swap volume operation may leak credentials into debug logs
Status in OpenStack Compute (nova):
In Progress
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
The swap volume code in the compute service logs old and new volume
connection_info dicts to debug here:
https://github.com/openstack/nova/blob/1ad41c0b0c844b65424251dbc3399039789b064f/nova/compute/manager.py#L4930
The new connection_info comes from Cinder:
https://github.com/openstack/nova/blob/1ad41c0b0c844b65424251dbc3399039789b064f/nova/compute/manager.py#L4901
That's a plain dict from the response which may contain credentials.
The old connection_info comes from the
nova.objects.block_device.BlockDeviceMapping object, which uses
SensitiveStringField to sanitize the field's value when logged:
https://github.com/openstack/nova/blob/1ad41c0b0c844b65424251dbc3399039789b064f/nova/compute/manager.py#L4904
https://github.com/openstack/oslo.versionedobjects/blob/1.23.0/oslo_versionedobjects/fields.py#L280
The new connection_info could contain credentials though, so we should
mask those when logging it, even at debug level.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1685678/+subscriptions