[jira] [Commented] (CLOUDSTACK-3274) Object_store_refactor: secretkey and accesskey of the backing store is found in plaintext in the logs

Thu, 18 Jul 2013 10:35:25 -0700 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-3274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13712538#comment-13712538
 ] 

Prasanna Santhanam commented on CLOUDSTACK-3274:
------------------------------------------------

I think it's the GET request that I saw that lead me to believe this was 
showing in the logs which it is btw. so it's up to you how you want to handle 
this. I've sanitize the request here but the secret key and access key print as 
is from the request. I haven't set up SSL to see how this comes over https but 
likely it comes as is:

2013-07-18 23:02:06,249 DEBUG [cloud.api.ApiServlet] 
(455888271@qtp-999479248-0:null) ===START===  127.0.0.1 -- GET  
details%5B2%5D.key=usehttps&details%5B3%5D.value=ACCESS_KEY&details%5B7%5D.key=connectiontimeout&details%5B6%5D.value=s3.amazonaws.com&signature=5hCDaRnDcXSlxkUylUttTOBm83g%3D&details%5B4%5D.key=bucket&details%5B1%5D.value=acstest-objectstore&apiKey=XYCeMPDvb_WdHeivKt8vxI3pXTOeHNKlfucrquIFGzMBq3GBdlyOEpkKs-3J3fl3bqKZlBoVZSO9WKIipuzGpg&details%5B8%5D.value=objectstore&details%5B5%5D.value=SECRET_KEY&details%5B7%5D.value=300000&response=json&details%5B8%5D.key=__name__&details%5B2%5D.value=true&details%5B6%5D.key=endpoint&details%5B0%5D.value=0&details%5B4%5D.value=acstest.cloudstack.org&details%5B1%5D.key=name&details%5B5%5D.key=secretkey&details%5B3%5D.key=accesskey&provider=S3&command=addImageStore&details%5B0%5D.key=maxerrorretry

                
> Object_store_refactor: secretkey and accesskey of the backing store is found 
> in plaintext in the logs
> -----------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-3274
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3274
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Storage Controller
>    Affects Versions: 4.2.0
>            Reporter: Prasanna Santhanam
>            Assignee: Min Chen
>            Priority: Critical
>             Fix For: 4.2.0
>
>
> Should we be printing the s3 store credentials in the logs in plaintext? Can 
> it be sanitized?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to