yahoo-eng-team team mailing list archive

[Matt Riedemann <mriedem@xxxxxxxxxx>]

Public bug reported:

See bug 1319943 and the related patch
https://review.openstack.org/#/c/93787/ for details, but right now the
block_device_info dict passed around in the nova virt driver can contain
a clear text password for the auth_password key.

That bug and patch are masking the password when logged in the immediate
known locations, but this could continue to crop up so we should change
the design such that the block_device_info dict doesn't contain the
password but rather a key to a store that nova can retrieve the password
for use.

Comment from Daniel Berrange in the patch above:

"Long term I think we need to figure out a way to remove the passwords
from any data dicts we pass around. Ideally the block device info would
merely contain something like a UUID to identify a password, which Nova
could use to fetch the actual password from a secure password manager
service at time of use. Thus we wouldn't have to worry about random
objects/dicts containing actual passwords. Obviously this isn't
something we can do now, but could you file an RFE to address this from
a design POV, because masking passwords at time of logging call is not
really a viable long term strategy IMHO."

** Affects: nova
     Importance: Undecided
         Status: New


** Tags: security

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1321785

Title:
  RFE: block_device_info dict should have a password key rather than
  clear password

Status in OpenStack Compute (Nova):
  New

Bug description:
  See bug 1319943 and the related patch
  https://review.openstack.org/#/c/93787/ for details, but right now the
  block_device_info dict passed around in the nova virt driver can
  contain a clear text password for the auth_password key.

  That bug and patch are masking the password when logged in the
  immediate known locations, but this could continue to crop up so we
  should change the design such that the block_device_info dict doesn't
  contain the password but rather a key to a store that nova can
  retrieve the password for use.

  Comment from Daniel Berrange in the patch above:

  "Long term I think we need to figure out a way to remove the passwords
  from any data dicts we pass around. Ideally the block device info
  would merely contain something like a UUID to identify a password,
  which Nova could use to fetch the actual password from a secure
  password manager service at time of use. Thus we wouldn't have to
  worry about random objects/dicts containing actual passwords.
  Obviously this isn't something we can do now, but could you file an
  RFE to address this from a design POV, because masking passwords at
  time of logging call is not really a viable long term strategy IMHO."

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1321785/+subscriptions