[Openstack-security] [Bug 1321785] Re: RFE: block_device_info dict should have a password key rather than clear password

OpenStack Infra 1321785 at bugs.launchpad.net
Thu Mar 10 14:22:49 UTC 2016 

Reviewed:  https://review.openstack.org/288927
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=db50aaca0acdf7814a8d6673545db94738907131
Submitter: Jenkins
Branch:    master

commit db50aaca0acdf7814a8d6673545db94738907131
Author: Matt Riedemann <mriedem at us.ibm.com>
Date:   Sat Mar 5 13:40:52 2016 -0500

    Use SensitiveStringField for BlockDeviceMapping.connection_info
    
    bd977f400a1192d5cf7c2b52ef91615c0828813c added the SensitiveStringField
    to oslo.versionedobjects. SensitiveStringField is a StringField, which
    is what BlockDeviceMapping.connection_info was already using. The difference
    is that a SensitiveStringField masks passwords in the 'stringify' method,
    which is what's used when __repr__ is called on the object.
    
    Since BDM.connection_info can contain credentials, and the connection_info
    dict gets passed around quite a bit in the compute manager and virt drivers,
    it has from time to time gotten logged without first masking passwords.
    
    This makes the object handle masking the password so we don't have to do it
    explicitly anymore.
    
    There is no version bump on the BlockDeviceMapping object since nothing has
    functionally changed.
    
    Change-Id: I66a0b5f6834034e2fcbefc4510e3aa018edec310
    Closes-Bug: #1321785


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1321785

Title:
  RFE: block_device_info dict should have a password key rather than
  clear password

Status in OpenStack Compute (nova):
  Fix Released
Status in oslo.versionedobjects:
  Fix Released

Bug description:
  See bug 1319943 and the related patch
  https://review.openstack.org/#/c/93787/ for details, but right now the
  block_device_info dict passed around in the nova virt driver can
  contain a clear text password for the auth_password key.

  That bug and patch are masking the password when logged in the
  immediate known locations, but this could continue to crop up so we
  should change the design such that the block_device_info dict doesn't
  contain the password but rather a key to a store that nova can
  retrieve the password for use.

  Comment from Daniel Berrange in the patch above:

  "Long term I think we need to figure out a way to remove the passwords
  from any data dicts we pass around. Ideally the block device info
  would merely contain something like a UUID to identify a password,
  which Nova could use to fetch the actual password from a secure
  password manager service at time of use. Thus we wouldn't have to
  worry about random objects/dicts containing actual passwords.
  Obviously this isn't something we can do now, but could you file an
  RFE to address this from a design POV, because masking passwords at
  time of logging call is not really a viable long term strategy IMHO."

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1321785/+subscriptions

More information about the Openstack-security mailing list