Full service token is shown in logs

Bug #1654847 reported by Matt Riedemann
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystoneauth
Fix Released
Critical
Tin Lam
Mitaka
Fix Released
Critical
Tin Lam
Newton
Fix Released
Critical
Tin Lam
python-keystoneclient
Fix Released
High
Tin Lam
Mitaka
Fix Released
High
Tin Lam
Newton
Fix Released
High
Tin Lam

Bug Description

The user token is hashed in the logs but it looks like the service token isn't, seen here:

http://logs.openstack.org/45/417645/1/check/gate-novaclient-dsvm-functional-neutron-ubuntu-xenial/cc21d78/logs/screen-n-api.txt.gz#_2017-01-08_03_35_22_059

2017-01-08 03:35:22.059 29520 DEBUG cinderclient.v2.client [req-d1cb5069-a50b-42af-bf9b-82c34233a409 admin admin] REQ: curl -g -i -X GET http://10.18.203.202:8776/v2/4c62a3fde1ba4ad3b03ddf8a986a5d88/volumes/be8010f1-b56b-4114-88b4-21a875449be4 -H "X-Service-Token: gAAAAABYcbHV_1XRxNDwB6TineJD4rn8wyREP3l6CXt8dEsyRzs_E7qERP3K-6Baj5JDm8FoSplzL3TqoCcrkEgpRoI4R-LMGQn-AX_5qcki0NbXYce3rPnHJHYvpyYit-8oxrwVKaxNSxANfa46_CpJu0VJgWpF10Wi77QYIQyv5SA1o63ogEc" -H "User-Agent: python-cinderclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}8cc9811dd8ca577f111e483ff46d071218d263bc" _http_log_request /usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py:342

I'm not entirely sure if this is an issue in keystoneauth or cinderclient.

Revision history for this message
Steve Martinelli (stevemar) wrote :

Looks like we need to add X-Service-Token to the list of headers we hash:

  secure_headers = ('authorization', 'x-auth-token',
                          'x-subject-token',)

https://github.com/openstack/keystoneauth/blob/f345559a06c0128dcb7fede4b593487540da86ef/keystoneauth1/session.py#L289-L290

Changed in keystoneauth:
status: New → Triaged
importance: Undecided → Critical
Revision history for this message
Steve Martinelli (stevemar) wrote :

The same fix could be applied to keystoneclient for folks running that session code: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/session.py#L168-L169

Changed in python-keystoneclient:
status: New → Triaged
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystoneauth (master)

Fix proposed to branch: master
Review: https://review.openstack.org/417765

Changed in keystoneauth:
assignee: nobody → Tin Lam (tl3438)
status: Triaged → In Progress
Changed in keystoneauth:
assignee: Tin Lam (tl3438) → Steve Martinelli (stevemar)
Changed in keystoneauth:
assignee: Steve Martinelli (stevemar) → Tin Lam (tl3438)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/417960

Changed in python-keystoneclient:
assignee: nobody → Tin Lam (tl3438)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/417960
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=56af8c90ecbb3cb5d29036151108b1e4e7a69bcc
Submitter: Jenkins
Branch: master

commit 56af8c90ecbb3cb5d29036151108b1e4e7a69bcc
Author: Tin Lam <email address hidden>
Date: Mon Jan 9 10:31:35 2017 -0600

    X-Serivce-Token should be hashed in the log

    Currently, logs display the hash values of X-Auth-Token,
    Authorization, and X-Subject-Token, but not the value of
    the X-Service-Token. This patch set adds the X-Service-Token
    to the list of header fields to be hashed for logging purposes.

    Change-Id: Iaa3a27f4b6c3baf964fa0c71328ffe9df43b2c0a
    Closes-Bug: #1654847

Changed in python-keystoneclient:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/418079

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/418081

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystoneauth (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/418087

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystoneauth (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/418088

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystoneauth (master)

Reviewed: https://review.openstack.org/417765
Committed: https://git.openstack.org/cgit/openstack/keystoneauth/commit/?id=9d3ae3ef94545e784a0bbc578d9652baa653ab07
Submitter: Jenkins
Branch: master

commit 9d3ae3ef94545e784a0bbc578d9652baa653ab07
Author: Tin Lam <email address hidden>
Date: Mon Jan 9 01:07:06 2017 -0600

    X-Serivce-Token should be hashed in the log

    Currently, logs display the hash values of X-Auth-Token,
    Authorization, and X-Subject-Token, but not the value of
    the X-Service-Token. This patch set adds the X-Service-Token
    to the list of header fields to be hashed for logging purposes.

    Change-Id: I4d996a2631f61a2c9bbbc7f959e97c7279be023d
    Closes-Bug: #1654847

Changed in keystoneauth:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-keystoneclient (stable/mitaka)

Reviewed: https://review.openstack.org/418081
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=398c8fb5160a05d4b28fb11147a9a295e11bcf31
Submitter: Jenkins
Branch: stable/mitaka

commit 398c8fb5160a05d4b28fb11147a9a295e11bcf31
Author: Tin Lam <email address hidden>
Date: Mon Jan 9 10:31:35 2017 -0600

    X-Serivce-Token should be hashed in the log

    Currently, logs display the hash values of X-Auth-Token,
    Authorization, and X-Subject-Token, but not the value of
    the X-Service-Token. This patch set adds the X-Service-Token
    to the list of header fields to be hashed for logging purposes.

    Change-Id: Iaa3a27f4b6c3baf964fa0c71328ffe9df43b2c0a
    Closes-Bug: #1654847
    (cherry picked from commit 56af8c90ecbb3cb5d29036151108b1e4e7a69bcc)

tags: added: in-stable-mitaka
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystoneauth (stable/mitaka)

Reviewed: https://review.openstack.org/418088
Committed: https://git.openstack.org/cgit/openstack/keystoneauth/commit/?id=938d31810d85328d47be575817cbe9eddb3aabe0
Submitter: Jenkins
Branch: stable/mitaka

commit 938d31810d85328d47be575817cbe9eddb3aabe0
Author: Tin Lam <email address hidden>
Date: Mon Jan 9 01:07:06 2017 -0600

    X-Serivce-Token should be hashed in the log

    Currently, logs display the hash values of X-Auth-Token,
    Authorization, and X-Subject-Token, but not the value of
    the X-Service-Token. This patch set adds the X-Service-Token
    to the list of header fields to be hashed for logging purposes.

    Change-Id: I4d996a2631f61a2c9bbbc7f959e97c7279be023d
    Closes-Bug: #1654847

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystoneauth (stable/newton)

Reviewed: https://review.openstack.org/418087
Committed: https://git.openstack.org/cgit/openstack/keystoneauth/commit/?id=2b70edeeb7d8808c2ddfee27fa7ddf962b58efb9
Submitter: Jenkins
Branch: stable/newton

commit 2b70edeeb7d8808c2ddfee27fa7ddf962b58efb9
Author: Tin Lam <email address hidden>
Date: Mon Jan 9 01:07:06 2017 -0600

    X-Serivce-Token should be hashed in the log

    Currently, logs display the hash values of X-Auth-Token,
    Authorization, and X-Subject-Token, but not the value of
    the X-Service-Token. This patch set adds the X-Service-Token
    to the list of header fields to be hashed for logging purposes.

    Change-Id: I4d996a2631f61a2c9bbbc7f959e97c7279be023d
    Closes-Bug: #1654847

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystoneauth 2.17.0

This issue was fixed in the openstack/keystoneauth 2.17.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/python-keystoneclient 3.9.0

This issue was fixed in the openstack/python-keystoneclient 3.9.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystoneauth 2.12.3

This issue was fixed in the openstack/keystoneauth 2.12.3 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystoneauth 2.4.3

This issue was fixed in the openstack/keystoneauth 2.4.3 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/python-keystoneclient 2.3.2

This issue was fixed in the openstack/python-keystoneclient 2.3.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/python-keystoneclient 3.5.1

This issue was fixed in the openstack/python-keystoneclient 3.5.1 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.