[Openstack-security] [Bug 1321080] Re: auth token is exposed in meter http.request

Zhi Kun Liu liuzhikun at gmail.com
Mon Jun 9 02:13:44 UTC 2014 

@Tristan Cacqueray,  I checked nova and neutorn codes in Havana, they
don't have audit and notifier middleware. So this does not impact
Havana. It's only an internal problem of us.  Thanks for your reminding!

** Tags removed: havana-backport-potential

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1321080

Title:
  auth token is exposed in meter http.request

Status in OpenStack Telemetry (Ceilometer):
  In Progress
Status in OpenStack Neutron (virtual network service):
  Fix Committed
Status in Oslo - a Library of Common OpenStack Code:
  Fix Committed
Status in OpenStack Security Advisories:
  Confirmed
Status in pyCADF:
  Fix Committed

Bug description:
  auth token is exposed in meter http.request

  # curl -i -X GET -H 'X-Auth-Token: 258ab6539b3b4eae8b3af307b8f5eadd'
  -H 'Content-Type: application/json' -H 'Accept: application/json' -H
  'User-Agent: python-ceilometerclient'
  http://0.0.0.0:8777/v2/meters/http.request

  -----------
  snip..
  {"counter_name": "http.request", "user_id": "0", "resource_id": "ip-9-37-74-33:8774", "timestamp": "2014-05-16T17:42:16.851000", "recorded_at": "2014-05-16T17:42:17.039000", "resource_metadata": {"request.CADF_EVENT:initiator:host:address": "9.44.143.6", "request.CADF_EVENT:initiator:credential:token": "4724 xxxxxxxx 8478", "request.RAW_PATH_INFO": "/v2/9af97e383dad44969bd650ebd55edfe0/servers/060c76a5-0031-430d-aa1e-01f9b3db234b", "request.REQUEST_METHOD": "DELETE", "event_type": "http.request", "request.HTTP_X_TENANT_ID": "9af97e383dad44969bd650ebd55edfe0", "request.CADF_EVENT:typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event", "request.HTTP_X_PROJECT_NAME": "ibm-default", "host": "nova-api", "request.SERVER_PORT": "8774", "request.REMOTE_PORT": "55258", "request.HTTP_X_USER_ID": "0", "request.HTTP_X_AUTH_TOKEN": "4724d3dd6b984079a58eecf406298478", "request.CADF_EVENT:action": "delete", "request.CADF_EVENT:target:typeURI": "service/compute/servers/server", "request.HTTP_USER_AGENT": "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0",
  snip...

  auth token is masked in "request.CADF_EVENT:initiator:credential:token": "4724 xxxxxxxx 8478".
  But it is exposed in  "request.HTTP_X_AUTH_TOKEN": "4724d3dd6b984079a58eecf406298478"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ceilometer/+bug/1321080/+subscriptions

More information about the Openstack-security mailing list