OK, this is confusing. Let me try to get an accurate picture of affected
versions:
oslo-incubator contains affected code in master (patched), stable/icehouse (in
review) and stable/havana
That code was copied in:
Neutron: Juno (patched), Icehouse
Ceilometer: Icehouse (in review), Havana
Then it was adopted in:
pyCADF all versions <= 0.5 (0.5.1 contains the fix)
My understanding is that oslo.messaging is not affected.
** Changed in: ceilometer
Status: In Progress => Invalid
** Also affects: ceilometer/havana
Importance: Undecided
Status: New
** Also affects: ceilometer/icehouse
Importance: Undecided
Status: New
** Changed in: ceilometer/icehouse
Status: New => In Progress
** Also affects: oslo/havana
Importance: Undecided
Status: New
** Also affects: oslo/icehouse
Importance: Undecided
Status: New
** Changed in: oslo/icehouse
Status: New => In Progress
** Changed in: pycadf
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1321080
Title:
auth token is exposed in meter http.request
Status in OpenStack Telemetry (Ceilometer):
Invalid
Status in Ceilometer havana series:
New
Status in Ceilometer icehouse series:
In Progress
Status in OpenStack Neutron (virtual network service):
Fix Committed
Status in neutron icehouse series:
New
Status in Oslo - a Library of Common OpenStack Code:
Fix Committed
Status in oslo havana series:
New
Status in oslo icehouse series:
In Progress
Status in OpenStack Security Advisories:
Triaged
Status in pyCADF:
Fix Released
Bug description:
auth token is exposed in meter http.request
# curl -i -X GET -H 'X-Auth-Token: 258ab6539b3b4eae8b3af307b8f5eadd'
-H 'Content-Type: application/json' -H 'Accept: application/json' -H
'User-Agent: python-ceilometerclient'
http://0.0.0.0:8777/v2/meters/http.request
-----------
snip..
{"counter_name": "http.request", "user_id": "0", "resource_id":
"ip-9-37-74-33:8774", "timestamp": "2014-05-16T17:42:16.851000", "recorded_at":
"2014-05-16T17:42:17.039000", "resource_metadata":
{"request.CADF_EVENT:initiator:host:address": "9.44.143.6",
"request.CADF_EVENT:initiator:credential:token": "4724 xxxxxxxx 8478",
"request.RAW_PATH_INFO":
"/v2/9af97e383dad44969bd650ebd55edfe0/servers/060c76a5-0031-430d-aa1e-01f9b3db234b",
"request.REQUEST_METHOD": "DELETE", "event_type": "http.request",
"request.HTTP_X_TENANT_ID": "9af97e383dad44969bd650ebd55edfe0",
"request.CADF_EVENT:typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event";,
"request.HTTP_X_PROJECT_NAME": "ibm-default", "host": "nova-api",
"request.SERVER_PORT": "8774", "request.REMOTE_PORT": "55258",
"request.HTTP_X_USER_ID": "0", "request.HTTP_X_AUTH_TOKEN":
"4724d3dd6b984079a58eecf406298478", "request.CADF_EVENT:action": "delete",
"request.CADF_EVENT:target:typeURI": "service/compute/servers/server",
"request.HTTP_US
ER_AGENT": "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101
Firefox/24.0",
snip...
auth token is masked in "request.CADF_EVENT:initiator:credential:token":
"4724 xxxxxxxx 8478".
But it is exposed in "request.HTTP_X_AUTH_TOKEN":
"4724d3dd6b984079a58eecf406298478"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ceilometer/+bug/1321080/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
