yahoo-eng-team team mailing list archive

[OpenStack Infra <2095304@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.opendev.org/c/openstack/glance/+/940358
Committed: https://opendev.org/openstack/glance/commit/33fa9596ebbd7ed16e2bbdba5fab2f6eeb8eb5c2
Submitter: "Zuul (22348)"
Branch:    master

commit 33fa9596ebbd7ed16e2bbdba5fab2f6eeb8eb5c2
Author: Abhishek Kekane <akekane@xxxxxxxxxx>
Date:   Wed Jan 22 07:03:28 2025 +0000

    Remove S3 credentials from debug log
    
    While sorting image locations using store weight, glance logs a
    debug message which logs secret and access key for s3 backend.
    
    Removing the debug log to avoid leaking of the s3 credentials.
    
    Closes-Bug: #2095304
    SecurityImpact
    
    Change-Id: I24073c1b1e5ea92357d9a774e6c9c9cbf0980a44


** Changed in: glance
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/2095304

Title:
  Glance reveal S3 backend credentials during image creation

Status in Glance:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  During image creation glance reveal S3 store key and access key

  How to reproduce:
  1.Configure glance with S3 backend
  2.glance --insecure image-create --disk-format raw --container-format bare  --file <> --name <>

  glance logs:
  Jan 13 09:09:38 devstack devstack@g-api.service[1434220]: DEBUG glance.common.utils [None req-ff4ed7e1-5021-41a1-ab0a-c43452d481de
  demo demo] Sorted locations: [{'id': 7, 'url': 's3://02e880cfae0e457ea0be2820ce7177e0:03cf1105dae44fc696df5542ce1c3d11@127.0.0.1:80
  80/images/1efdcef2-0eb8-4b8c-9e0f-91f7434be5dc', 'metadata': {'store': 's3_fast'}, 'status': 'active'}] {{(pid=1434220) sort_image_
  locations /opt/stack/glance/glance/common/utils.py:735}}

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/2095304/+subscriptions