OpenStack Compute (nova)

Instance root-password is logged in plain-text

Bug #920687 reported by Rick Harris on 2012-01-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	High	Rick Harris	OpenStack Compute (nova) 2012.1 "essex"
	Diablo	Fix Released	Undecided	Russell Bryant

Bug Description

nova.rpc is logging the dict that is passed to the compute worker which contains the key `new_pass` that has the instance-root-password (if it's a set_admin_password operation).

The proposed fix is to sanitize the dictionary before logging and replacing the value with something like '<PASSWORD>'.

Tags:

Rick Harris (rconradharris) on 2012-01-23

Changed in nova:
assignee:	nobody → Rick Harris (rconradharris)
importance:	Undecided → High
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-01-23: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/3328

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-01-23: Fix merged to nova (master)

Reviewed: https://review.openstack.org/3328
Committed: http://github.com/openstack/nova/commit/ccbc940211c348940ca9766ef60328302a080f9a
Submitter: Jenkins
Branch: master

commit ccbc940211c348940ca9766ef60328302a080f9a
Author: Rick Harris <email address hidden>
Date: Mon Jan 23 23:08:04 2012 +0000

Remove sensitive info from rpc logging.

Fixes bug 920687

Change-Id: Ic83145adcfe73c29a85e7916f2fda48d1bb5ccea

Changed in nova:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2012-01-25

Changed in nova:
milestone:	none → essex-3
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-02-09: Fix proposed to nova (stable/diablo)

Fix proposed to branch: stable/diablo
Review: https://review.openstack.org/3960

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-02-13: Fix merged to nova (stable/diablo)

Reviewed: https://review.openstack.org/3960
Committed: http://github.com/openstack/nova/commit/552a53d49d7fbf190f1478b110f6934ebb0620c4
Submitter: Jenkins
Branch: stable/diablo

commit 552a53d49d7fbf190f1478b110f6934ebb0620c4
Author: Russell Bryant <email address hidden>
Date: Thu Feb 9 09:39:15 2012 -0500

Don't log sensitive data in compute log file.

Sanitize run_instance's admin_password argument from
nova.rpc 'received' debug logging. Fixes bug 915025.

Sanitize new_pass from set_admin_password. Fixes bug 920687.

    Manually merged from:
      ccbc940211c348940ca9766ef60328302a080f9a
      fa10e7ad5b3f6ab5de5b7b187da7a8bf05a263d5

Change-Id: I3af8263f88ef2e68d5d7f6d8c4824737fffcf461

tags:

added: in-stable-diablo

Thierry Carrez (ttx) on 2012-04-05

Changed in nova:
milestone:	essex-3 → 2012.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.