Thanks. It makes sense. The other questions are, would Heartbleed be a potential risk? Which solution is being used in OpenStack SSL?
On Tue, Apr 29, 2014 at 10:07 AM, Clark, Robert Graham <[email protected]>wrote: > This is why any production API servers should all be running TLS/SSL – to > protect the confidentiality of messages in flight. > > > > There have been efforts to remove sensitive information from logs, I’m a > little surprised that passwords are logged in Neutron. > > > > *From:* Hao Wang [mailto:[email protected]] > *Sent:* 29 April 2014 14:06 > *To:* [email protected] > *Cc:* openstack; Aaron Knister > *Subject:* Re: [Openstack-security] [Openstack] API Security > > > > Adding security group... > > > > On Sat, Apr 26, 2014 at 4:25 PM, Hao Wang <[email protected]> wrote: > > It is the client. I got this message with DEBUG enabled: > > curl -i 'http://192.168.56.103:35357/v2.0/tokens' -X POST -H > "Content-Type: application/json" -H "Accept: application/json" -H > "User-Agent: python-novaclient" -d '{"auth": {"tenantName": "admin", > "passwordCredentials": {"username": "admin", "password": "admin"}}}' > > > > It can be seen that username and password are right in the message. > > > > Hao > > > > On Sat, Apr 26, 2014 at 4:08 PM, Aaron Knister <[email protected]> > wrote: > > Was it the client or the server that exposed the credentials? > > Sent from my iPhone > > > On Apr 26, 2014, at 2:28 PM, Hao Wang <[email protected]> wrote: > > Hi, > > > > I am troubleshooting a neutron case. It was just found that if DEBUG was > enabled, neutron would print out JSON data with username and password. I am > wondering what kind of protocol is used in production environment to > prevent this security risk from happening. > > > > Thanks, > > Hao > > _______________________________________________ > Mailing list: > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : [email protected] > Unsubscribe : > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > > > >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
