[Openstack-security] [Bug 1664723] Re: replication_slave user and passwords exposed in logging
OpenStack Infra
1664723 at bugs.launchpad.net
Thu Apr 6 14:09:05 UTC 2017
Fix proposed to branch: master
Review: https://review.openstack.org/454204
** Changed in: trove
Status: New => In Progress
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1664723
Title:
replication_slave user and passwords exposed in logging
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack DBaaS (Trove):
In Progress
Bug description:
Currently the passwords and usernames for trove's replciation_user in
pxc and percona configuration options are exposed in the logger.
Mysql already has secret=True for their configuration options.
This patch extends that to all of the other database configuration
options using oslo.config.cfg.Opt option secret [1].
See output below for exact logs:
tr-api.log.2017-02-14-095217:2017-02-14 10:21:58.628 DEBUG
oslo_service.service [-] percona.replication_password =
NETOU7897NNLOU from (pid=684) log_opt_values /usr/local/lib/python2.7
/dist-packages/oslo_config/cfg.py:2744
tr-api.log.2017-02-14-095217:2017-02-14 10:21:58.628 DEBUG oslo_service.service [-] percona.replication_user = slave_user from (pid=684) log_opt_values /usr/local/lib/python2.7/dist-packages/oslo_config/cfg.py:2744
tr-api.log.2017-02-14-095217:2017-02-14 10:21:58.636 DEBUG oslo_service.service [-] pxc.replication_user = slave_user from (pid=684) log_opt_values /usr/local/lib/python2.7/dist-packages/oslo_config/cfg.py:2744
References
[1] http://docs.openstack.org/developer/oslo.config/cfg.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1664723/+subscriptions
More information about the Openstack-security
mailing list