** No longer affects: glance -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1470740
Title: swiftclient disclose token in debug logs Status in OpenStack Security Notes: New Status in Python client library for Swift: New Bug description: Setup: juno. Nova, glance + swiftclient. glance-api.conf (important parts): [DEFAULT] debug = true logging_context_format_string=%(name)s[%(process)d]: %(levelname)s %(instance)s%(message)s [%(request_id)s %(user)s %(tenant)s] logging_default_format_string=%(name)s[%(process)d]: %(levelname)s %(instance)s%(message)s logging_debug_format_suffix=%(funcName)s %(pathname)s:%(lineno)d logging_exception_prefix=%(name)s[%(process)d]: TRACE %(instance)s default_store = swift use_syslog = True syslog_log_facility = LOG_LOCAL2 swift_store_auth_address = https://my.hand.disclosing.corporte.url:5000/v2.0 swift_store_user = tenant:user swift_store_key = sexgodqwerty123456love Result in remote syslog: DEBUG REQ: curl -i https://my.hand.disclosing.corporte.url:8080/v1/OMG_47e02d5a461148ef9f9dab62ea0ba64b/region/6a66d8dc-5748-4cb5-9db5-b12ab0d1c698-00007 -X PUT -H "X-Auth-Token: 6f64276e2074726461650a6d" http_log /usr/lib/python2.7/dist-packages/swiftclient/client.py:95 Versions: ii python-swift 2.2.0-0ubuntu1~cloud0 all distributed virtual object store - Python libraries ii python-swiftclient 1:2.3.0-0ubuntu1~cloud0 all Client library for Openstack Swift API. ii glance-api 1:2014.2.3-0-ownbuild all OpenStack Image Registry and Delivery Service - API ii glance-common 1:2014.2.3-ownbuild all OpenStack Image Registry and Delivery Service - Common ii python-glance 1:2014.2.3-0ownbuild all OpenStack Image Registry and Delivery Service - Python library ii python-glance-store 0.1.8-1ubuntu2~cloud0 all OpenStack Image Service store library - Python 2.x ii python-glanceclient 1:0.14.0-0ubuntu1~cloud0 all Client library for Openstack glance server. Impact: 1) Unprivileged employee with access to logging facility may get access to glance images, including snapshots of the tenants. 2) Syslog transmitted unencrypted in UDP or TCP and it may be viewed by unauthorized person. Expected behavior: Complete or partial token masking in logs, f.e.: DEBUG REQ: curl -i https://my.hand.disclosing.corporte.url:8080/v1/OMG_47e02d5a461148ef9f9dab62ea0ba64b/region/6a66d8dc-5748-4cb5-9db5-b12ab0d1c698-00007 -X PUT -H "X-Auth-Token: 6****************d" http_log /usr/lib/python2.7/dist-packages/swiftclient/client.py:95 To manage notifications about this bug go to: https://bugs.launchpad.net/ossn/+bug/1470740/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp

