[Openstack-security] [Bug 1328488] Re: oslo apiclient logs sensitive data
Thierry Carrez
thierry.carrez+lp at gmail.com
Thu Apr 30 07:59:25 UTC 2015
** Changed in: oslo-incubator
Milestone: kilo-1 => 2015.1.0
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1328488
Title:
oslo apiclient logs sensitive data
Status in The Oslo library incubator:
Fix Released
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
When trying to clean up the tempest logs in the gate, we leak
passwords and keystone tokens everywhere. For instance, python-
novaclient logs the auth token.
What's more problematic though is that apiclient does the following:
def _http_log_req(self, method, url, kwargs):
if not self.debug:
return
string_parts = [
"curl -i",
"-X '%s'" % method,
"'%s'" % url,
]
for element in kwargs['headers']:
header = "-H '%s: %s'" % (element, kwargs['headers'][element])
string_parts.append(header)
_logger.debug("REQ: %s" % " ".join(string_parts))
if 'data' in kwargs:
_logger.debug("REQ BODY: %s\n" % (kwargs['data']))
The argument that it's at DEBUG level doesn't hold, because from the
Atlanta operators summit it was clear that *all* operators are running
their servers at DEBUG, because OpenStack is impossible to actually
troubleshoot at any other logging level. And if you run neutron at
debug level, then all your nova credentials are in your logs.
This is coupled with the fact that a large amount of users are
streaming all their logs directly into logstash. Which means they've
now got a potentially public endpoint that lets them search for
credentials.
We need to stop doing that in a blanket way across OpenStack.
To manage notifications about this bug go to:
https://bugs.launchpad.net/oslo-incubator/+bug/1328488/+subscriptions
More information about the Openstack-security
mailing list