[Openstack-security] [Bug 1408530] Re: heat CLI is passing raw username and password for stack-create stack-update and stack-preview
Jeremy Stanley
fungi at yuggoth.org
Fri Feb 28 14:46:53 UTC 2020
** Information type changed from Private Security to Public
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1408530
Title:
heat CLI is passing raw username and password for stack-create stack-
update and stack-preview
Status in python-heatclient:
Triaged
Bug description:
When using the CLI or the heatclient directly for every call to
stack.create, stack.preview or stack.update the username and password
are being transmitted in plaintext to heat as the X-Auth-User and X
-Auth-Key headers.
This would seem like a hangover from before trusts being available and
heat wanting to authenticate as the current user.
This behaviour ignores the --include-password cli flag.
To manage notifications about this bug go to:
https://bugs.launchpad.net/python-heatclient/+bug/1408530/+subscriptions
More information about the Openstack-security
mailing list