yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2030976] Re: oslo notifications sending sensitive tokens

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jay Faulkner <2030976@xxxxxxxxxxxxxxxxxx>
Date: Wed, 06 Mar 2024 22:09:46 -0000
Reply-to: Bug 2030976 <2030976@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

** Changed in: nova
       Status: Confirmed => Fix Released

** Changed in: ossa
       Status: Confirmed => Fix Released

** Changed in: oslo.messaging
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2030976

Title:
  oslo notifications sending sensitive tokens

Status in Ironic:
  Fix Released
Status in OpenStack Compute (nova):
  Fix Released
Status in oslo.messaging:
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  Hi,

  I have configured an OpenStack deployment to send Ironic service
  notifications using oslo_messaging_notifications[1] and noticed that
  Keystone tokens are being sent in the
  ['oslo.message']['_context_auth_token'] field of the message payload.

  - I have confirmed that auth token is leaked using both a Kafka and RabbitMQ backed
  - I have also confirmed that both messaging and messagingv2 options under oslo_messaging_notifications.driver are impacted[2]
  - I am using the Victoria version of Openstack and I have not confirmed if this has been patched on newer versions

  1) https://docs.openstack.org/ironic/latest/admin/notifications.html
  2) https://docs.openstack.org/ironic/victoria/configuration/sample-config.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ironic/+bug/2030976/+subscriptions