yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #91894
[Bug 2012993] Re: Unredacted X-Auth-Token logged at level DEBUG in nova-api when HTTP status code != 2xx
Reviewed: https://review.opendev.org/c/openstack/nova/+/882052
Committed: https://opendev.org/openstack/nova/commit/6833695e70bba31b84a0a19301657bc59ae1710b
Submitter: "Zuul (22348)"
Branch: master
commit 6833695e70bba31b84a0a19301657bc59ae1710b
Author: Sylvain Bauza <sbauza@xxxxxxxxxx>
Date: Tue May 2 15:51:28 2023 +0000
Revert "Debug Nova APIs call failures"
This reverts commit afb0f774841d30dcae9c074d524e7fa9be840678.
Reason for revert:
We unfortunately leak the token in the logs which is considered a security flaw, even if only provided on DEBUG level.
Change-Id: I52b52e65b689dadbdb08122c94652c491f850de6
Closes-Bug: #2012993
** Changed in: nova
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2012993
Title:
Unredacted X-Auth-Token logged at level DEBUG in nova-api when HTTP
status code != 2xx
Status in OpenStack Compute (nova):
Fix Released
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Noticed this while working on something else, if the API is going to
return a non 2xx HTTP success status code, a lot of request details
are logged including the user's unsanitized auth token. In the past,
operators considered this to be a security issue despite logging only
at level DEBUG. For this reason I am opening a bug for review.
This particular logging code was added in the Zed release:
https://review.opendev.org/c/openstack/nova/+/806683
These are logged a lot when using OSC + server names because OSC
always tries to lookup a name as a UUID (which will fail with 404)
before it falls back on trying it as an ID. So commands such as
'openstack server show MyServer' will produce debug logs like the
following.
Example log for GET /servers HTTP 404:
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: INFO nova.api.openstack.wsgi [None req-f5dbcb16-318b-4b19-96a6-62492ac94677 demo demo] HTTP exception thrown: Instance test could not be found.
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: DEBUG nova.api.openstack.wsgi [None req-f5dbcb16-318b-4b19-96a6-62492ac94677 demo demo] Request method failure captured:
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: request: GET /compute/v2.1/servers/test HTTP/1.1
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Accept: application/json
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Accept-Encoding: gzip, deflate
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Connection: keep-alive
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Content-Length: 0
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Host: 192.168.44.11
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Openstack-System-Scope: None
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: User-Agent: python-novaclient
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: X-Auth-Token: gAAAAABkIj7cGDJYKbnQalHot3qfNuAY1AMwMdKFP0kVQB6_8HRCSizDQpxMfspjx2S7t8rMWPSwYwg0-Yox2QM9E3KPWVq72YPl-cr8XwlDIn-ev9WjpmkmCtlOqOs0M0rOSvQggxdNB0xLx
2-gYiWUyMAYW6A1vXcup7Rvs8-YFetPKr2vGnY
[...]
Full log trace:
https://paste.openstack.org/show/bx9CmbgOsDNrIn16PfUW
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/2012993/+subscriptions
References
