[Openstack-security] [Bug 1465922] Fix merged to keystone (stable/kilo)

OpenStack Infra 1465922 at bugs.launchpad.net
Wed Jul 15 00:20:10 UTC 2015


Reviewed:  https://review.openstack.org/201323
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c4dc1331e111f6fce070163129cef008a204e99f
Submitter: Jenkins
Branch:    stable/kilo

commit c4dc1331e111f6fce070163129cef008a204e99f
Author: Brant Knudson <bknudson at us.ibm.com>
Date:   Fri Jun 19 14:18:18 2015 -0500

    Mask passwords in debug log on user password operations
    
    When a user is created, they change their password, or admin
    changes their password and debug logging is enabled, the value of
    the user's password was logged. The value should be masked.
    
    Change-Id: I07b7441378fb630f01204d6b656b218f6b94dd5a
    Closes-Bug: #1465922
    (cherry picked from commit fbdb100e656b19958589fa659bf9d95303e76ab8)

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1465922

Title:
  Password visible in clear text in keystone.log when user created and
  keystone debug logging is enabled

Status in Keystone:
  Fix Committed
Status in Keystone juno series:
  In Progress
Status in Keystone kilo series:
  Fix Committed
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  grep CLEARTEXTPASSWORD keystone.log

  2015-06-16 06:44:39.770 20986 DEBUG keystone.common.controller [-]
  RBAC: Authorizing identity:create_user(user={u'domain_id': u'default',
  u'password': u'CLEARTEXTPASSWORD', u'enabled': True,
  u'default_project_id': u'0175b43419064ae38c4b74006baaeb8d', u'name':
  u'DermotJ'}) _build_policy_check_credentials /usr/lib/python2.7/site-
  packages/keystone/common/controller.py:57

  Issue code:
  https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L57

      LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
          'action': action,
          'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})

  Shadow the values of sensitive fields like 'password' by some
  meaningless garbled text like "XXXXX" is one way to fix.

  Well, in addition to this, I think we should never pass the 'password'
  with its original value along the code and save it in any persistence,
  instead we should convert it to a strong hash value as early as
  possible. With the help of a good hash system, we never have to need
  the original value of the password, right?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1465922/+subscriptions




More information about the Openstack-security mailing list