[Openstack] [Openstack-security] API Security

Clark, Robert Graham robert.clark at hp.com
Tue Apr 29 14:07:59 UTC 2014 

This is why any production API servers should all be running TLS/SSL – to protect the confidentiality of messages in flight.

 

There have been efforts to remove sensitive information from logs, I’m a little surprised that passwords are logged in Neutron.

 

From: Hao Wang [mailto:hao.1.wang at gmail.com] 
Sent: 29 April 2014 14:06
To: openstack-security at lists.openstack.org
Cc: openstack; Aaron Knister
Subject: Re: [Openstack-security] [Openstack] API Security

 

Adding security group...

 

On Sat, Apr 26, 2014 at 4:25 PM, Hao Wang <hao.1.wang at gmail.com <mailto:hao.1.wang at gmail.com> > wrote:

It is the client. I got this message with DEBUG enabled:

curl -i 'http://192.168.56.103:35357/v2.0/tokens' -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-novaclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "admin"}}}'

 

It can be seen that username and password are right in the message.

 

Hao

 

On Sat, Apr 26, 2014 at 4:08 PM, Aaron Knister <aaron.knister at gmail.com <mailto:aaron.knister at gmail.com> > wrote:

Was it the client or the server that exposed the credentials?

Sent from my iPhone


On Apr 26, 2014, at 2:28 PM, Hao Wang <hao.1.wang at gmail.com <mailto:hao.1.wang at gmail.com> > wrote:

Hi,

 

I am troubleshooting a neutron case. It was just found that if DEBUG was enabled, neutron would print out JSON data with username and password. I am wondering what kind of protocol is used in production environment to prevent this security risk from happening.

 

Thanks,

Hao

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org <mailto:openstack at lists.openstack.org> 
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140429/d845af24/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6187 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140429/d845af24/attachment.bin>

More information about the Openstack mailing list