[Openstack-security] [Bug 1321080] Re: auth token is exposed in meter http.request
gordon chung
gord at live.ca
Fri Jun 6 20:04:17 UTC 2014
the original blueprint for notifier middleware is:
https://blueprints.launchpad.net/ceilometer/+spec/count-api-requests.
i'm unaware of anyone using the notifier middleware on its alone. to my
knowledge, the main consumer of notifier middlware is pyCADF (and its
audit middlware).
regarding the audit middleware:
the audit middleware (from oslo-incubator) was synced into Neutron in
icehouse as a side effect of another patch (so it may not even be used).
the audit middleware was also synced into Ceilometer in havana i believe
(to my knowledge it's not used either as pycadf is not a requirement in
Ceilometer)
the audit middleware (from pycadf) was purposely set as a requirement in
Nova in icehouse and is used (it is optionally enabled by deployer).
this audit middleware (from pycadf) did not exist before icehouse.
i'm not aware of any other projects pulling in pyCADF (and it's audit
middleware).
hope this brain dump helps :)
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1321080
Title:
auth token is exposed in meter http.request
Status in OpenStack Telemetry (Ceilometer):
In Progress
Status in OpenStack Neutron (virtual network service):
In Progress
Status in Oslo - a Library of Common OpenStack Code:
Fix Committed
Status in OpenStack Security Advisories:
Confirmed
Status in pyCADF:
Fix Committed
Bug description:
auth token is exposed in meter http.request
# curl -i -X GET -H 'X-Auth-Token: 258ab6539b3b4eae8b3af307b8f5eadd'
-H 'Content-Type: application/json' -H 'Accept: application/json' -H
'User-Agent: python-ceilometerclient'
http://0.0.0.0:8777/v2/meters/http.request
-----------
snip..
{"counter_name": "http.request", "user_id": "0", "resource_id": "ip-9-37-74-33:8774", "timestamp": "2014-05-16T17:42:16.851000", "recorded_at": "2014-05-16T17:42:17.039000", "resource_metadata": {"request.CADF_EVENT:initiator:host:address": "9.44.143.6", "request.CADF_EVENT:initiator:credential:token": "4724 xxxxxxxx 8478", "request.RAW_PATH_INFO": "/v2/9af97e383dad44969bd650ebd55edfe0/servers/060c76a5-0031-430d-aa1e-01f9b3db234b", "request.REQUEST_METHOD": "DELETE", "event_type": "http.request", "request.HTTP_X_TENANT_ID": "9af97e383dad44969bd650ebd55edfe0", "request.CADF_EVENT:typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event", "request.HTTP_X_PROJECT_NAME": "ibm-default", "host": "nova-api", "request.SERVER_PORT": "8774", "request.REMOTE_PORT": "55258", "request.HTTP_X_USER_ID": "0", "request.HTTP_X_AUTH_TOKEN": "4724d3dd6b984079a58eecf406298478", "request.CADF_EVENT:action": "delete", "request.CADF_EVENT:target:typeURI": "service/compute/servers/server", "request.HTTP_USER_AGENT": "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0",
snip...
auth token is masked in "request.CADF_EVENT:initiator:credential:token": "4724 xxxxxxxx 8478".
But it is exposed in "request.HTTP_X_AUTH_TOKEN": "4724d3dd6b984079a58eecf406298478"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ceilometer/+bug/1321080/+subscriptions
More information about the Openstack-security
mailing list