On 04/16/2015 08:54 AM, Yogesh Prasad wrote: > Hi, > > I am wondering why screen-c-vol.log is displaying the CHAP secret. > > Logs: > > 2015-04-16 16:04:23.288 7306 DEBUG oslo_concurrency.processutils > [req-23c699df-7b21-48d2-ba14-d8ed06642050 ce8dccba9ccf48fb956060b3e54187a2 > 4ad219788df049e0b131e17f603d5faa - - -] CMD "sudo cinder-rootwrap > /etc/cinder/rootwrap.conf iscsiadm -m node -T > iqn.2015-04.acc1.tsm1:acc171fe6fc15fcc4bd4a841594b7876e3df -p > 192.10.44.48:3260 --op update -n* node.session.auth.password -v ***" > returned:* 0 in 0.088s execute > /usr/local/lib/python2.7/dist-packages/oslo_concurrency/processutils.py:225 > > Above log hides the secret. > > 2015-04-16 16:04:23.290 7306 DEBUG cinder.brick.initiator.connector > [req-23c699df-7b21-48d2-ba14-d8ed06642050 ce8dccba9ccf48fb956060b3e54187a2 > 4ad219788df049e0b131e17f603d5faa - - -] *iscsiadm ('--op', 'update', '-n', > 'node.session.auth.password', '-v', u'fakeauthgroupchapsecret')*: stdout= > stderr= _run_iscsiadm > /opt/stack/cinder/cinder/brick/initiator/connector.py:455 > > However, this one does not hide the secret. > > In addition, i find that the CHAP credentials are stored as plain string > the database table (volumes). > > I guess these are security risks in the current implementation. Any > comments ? >
Hi Yogesh, we can't realistically consider DEBUG logs as a security risks. the real issue in my opinion is that services are ran in DEBUG mode in production... Also the database content is also considered sensitive and should not be available to users. Though I agree with you and both issues should be considered security hardening (hide passwords in debug logs and use encrypted storage so that only the service could decrypt the passwords). Thanks for raising these issues Tristan
signature.asc
Description: OpenPGP digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev