[Openstack-security] [Bug 1841185] Re: novncproxy log contains token info

Jeremy Stanley fungi at yuggoth.org
Fri Aug 23 14:54:19 UTC 2019 

*** This bug is a duplicate of bug 1492140 ***
    https://bugs.launchpad.net/bugs/1492140

Sorry, I guess it's actually a duplicate of a public security bug, not
just a normal public bug, so adjusted accordingly.

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1841185

Title:
  novncproxy log contains token info

Status in OpenStack Compute (nova):
  New

Bug description:
  Aug 23 13:07:57 ubuntu nova-novncproxy[665]: DEBUG nova.objects.console_auth_token [None req-708425cd-0340-4d2f-a245-b19e8a381d6e None None] Validated token - console connection is ConsoleAuthToken(access_url_base='http://100.109.0.4:6080/vnc_lite.html',console_type='novnc',created_at=2019-08-23T13:07:03Z,host='127.0.0.1',id=1,instance_uuid=143433d6-693b-4c80-856f-ce57278a13eb,internal_access_path=None,port=5900,token='***',updated_at=None) {{(pid=8414) validate /opt/stack/nova/nova/objects/console_auth_token.py:164}}
  Aug 23 13:07:57 ubuntu nova-novncproxy[665]: DEBUG oslo_concurrency.lockutils [None req-708425cd-0340-4d2f-a245-b19e8a381d6e None None] Acquired lock "compute-rpcapi-router" {{(pid=8414) lock /usr/local/lib/python3.6/dist-packages/oslo_concurrency/lockutils.py:265}}
  Aug 23 13:07:57 ubuntu nova-novncproxy[665]: DEBUG oslo_concurrency.lockutils [None req-708425cd-0340-4d2f-a245-b19e8a381d6e None None] Releasing lock "compute-rpcapi-router" {{(pid=8414) lock /usr/local/lib/python3.6/dist-packages/oslo_concurrency/lockutils.py:281}}
  Aug 23 13:07:57 ubuntu nova-novncproxy[665]: INFO nova.console.websocketproxy [None req-708425cd-0340-4d2f-a245-b19e8a381d6e None None]   8: connect info: {'token': ('534104fe-505e-48c7-afe8-64dc26043a7e',), 'instance_uuid': '143433d6-693b-4c80-856f-ce57278a13eb', 'console_type': 'novnc', 'host': '127.0.0.1', 'port': 5900, 'internal_access_path': None, 'access_url': 'http://100.109.0.4:6080/vnc_lite.html?path=%3Ftoken%3D534104fe-505e-48c7-afe8-64dc26043a7e'}

  The first log in the above snippet hides the token with '***' but the
  last log line still contains the token. The token feels like sensitive
  information so it should not be logged.

  Seen in Devstack with Nova hash
  83b415041ba9ccd5b92667bfc95b6b9b003fa283

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1841185/+subscriptions

More information about the Openstack-security mailing list