[Openstack-security] [Bug 1465922] Fix merged to keystone (stable/kilo)
OpenStack Infra
1465922 at bugs.launchpad.net
Wed Jul 15 00:20:10 UTC 2015
Reviewed: https://review.openstack.org/201323
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c4dc1331e111f6fce070163129cef008a204e99f
Submitter: Jenkins
Branch: stable/kilo
commit c4dc1331e111f6fce070163129cef008a204e99f
Author: Brant Knudson <bknudson at us.ibm.com>
Date: Fri Jun 19 14:18:18 2015 -0500
Mask passwords in debug log on user password operations
When a user is created, they change their password, or admin
changes their password and debug logging is enabled, the value of
the user's password was logged. The value should be masked.
Change-Id: I07b7441378fb630f01204d6b656b218f6b94dd5a
Closes-Bug: #1465922
(cherry picked from commit fbdb100e656b19958589fa659bf9d95303e76ab8)
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1465922
Title:
Password visible in clear text in keystone.log when user created and
keystone debug logging is enabled
Status in Keystone:
Fix Committed
Status in Keystone juno series:
In Progress
Status in Keystone kilo series:
Fix Committed
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
grep CLEARTEXTPASSWORD keystone.log
2015-06-16 06:44:39.770 20986 DEBUG keystone.common.controller [-]
RBAC: Authorizing identity:create_user(user={u'domain_id': u'default',
u'password': u'CLEARTEXTPASSWORD', u'enabled': True,
u'default_project_id': u'0175b43419064ae38c4b74006baaeb8d', u'name':
u'DermotJ'}) _build_policy_check_credentials /usr/lib/python2.7/site-
packages/keystone/common/controller.py:57
Issue code:
https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L57
LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
'action': action,
'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})
Shadow the values of sensitive fields like 'password' by some
meaningless garbled text like "XXXXX" is one way to fix.
Well, in addition to this, I think we should never pass the 'password'
with its original value along the code and save it in any persistence,
instead we should convert it to a strong hash value as early as
possible. With the help of a good hash system, we never have to need
the original value of the password, right?
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1465922/+subscriptions
More information about the Openstack-security
mailing list