yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Robert Clark <1465922@xxxxxxxxxxxxxxxxxx>
Date: Sun, 15 Nov 2015 16:28:12 -0000
Reply-to: Bug 1465922 <1465922@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

We would typically issue an OSSN for such behaviour, it's somewhat
boilerplate but it's important to document the issue, particularly as a
number of production workloads run in debug mode.

I also think it's interesting that Bandit didn't catch this, it's pretty
good at finding these sorts of issues.

** Also affects: bandit
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1465922

Title:
  Password visible in clear text in keystone.log when user created and
  keystone debug logging is enabled

Status in Bandit:
  New
Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) juno series:
  Fix Committed
Status in OpenStack Identity (keystone) kilo series:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  grep CLEARTEXTPASSWORD keystone.log

  2015-06-16 06:44:39.770 20986 DEBUG keystone.common.controller [-]
  RBAC: Authorizing identity:create_user(user={u'domain_id': u'default',
  u'password': u'CLEARTEXTPASSWORD', u'enabled': True,
  u'default_project_id': u'0175b43419064ae38c4b74006baaeb8d', u'name':
  u'DermotJ'}) _build_policy_check_credentials /usr/lib/python2.7/site-
  packages/keystone/common/controller.py:57

  Issue code:
  https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L57

      LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
          'action': action,
          'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})

  Shadow the values of sensitive fields like 'password' by some
  meaningless garbled text like "XXXXX" is one way to fix.

  Well, in addition to this, I think we should never pass the 'password'
  with its original value along the code and save it in any persistence,
  instead we should convert it to a strong hash value as early as
  possible. With the help of a good hash system, we never have to need
  the original value of the password, right?

To manage notifications about this bug go to:
https://bugs.launchpad.net/bandit/+bug/1465922/+subscriptions