Mistral

User sensitive info is not protected properly

Bug #1337268 reported by Anastasia Kuznetsova on 2014-07-03

This bug affects 5 people

Affects		Status	Importance	Assigned to	Milestone
	Mistral	Confirmed	High	Unassigned

Bug Description

Now:

If user passes security sensitive information to a workflow it won't be protected properly: it wil may appear in Mistral logs, it won't be encoded before transferred over the network etc.

The goal:

We need a mechanism that allows to protect sensitive user data used by workflows.

Solution ideas:

* Client doesn't need to encode sensitive data before sending it to a server. It can use HTTPS.
* Create the special section "secret" in the workflow language to let Mistral know that this date must be protected
* Create a special data type, for example class "Secret", with string representation "******" so that if something is wrapped into it we'll never see it in logs in its initial form. All variables marked in "secret" should be internally wrapped by instance of "Secret".
* Store Secret instances in encoded form in DB, decode them when fetched from DB

Syntax ideas:

--------- Section "secret" under workflow ---------

[renat: Everybody liked this idea at the PTG]

version: "2.0"

wf:
  input:
    - username
  secret:
    - keyA

  tasks:
    taskA:
      action: my_action
      publish:
        keyA: <% task(taskA).result.foobar %>
      on-success:
        - taskB

    taskB:
      action: my_action2
      input:
        arg1: <% $.keyA %>

--------- Encrypt only part of the structure ---------

[michal: we need to encrypt only keyA, and not the whole headers section]

version: "2.0"

wf:
  input:
    - username
  secret:
    - keyA

  tasks:
    taskA:
      action: std.http
      input:
        url: some.url
        headers:
          accept: text
          authorization: keyA

--------- Wrapping sensitive data using a function ---------

  tasks:
    taskA:
      action: my_action username=<% ... %> password=<% secret(...) %>

--------- Using decorator to protect from logging etc. ---------

# In this example, the argument "password" will never be logged by Mistral
# in its initial form.

from mistral_lib.secret import secret

@secret(['password'])
class MyAction(Action):

def init(self, password):
# do something

See original description

Anastasia Kuznetsova (akuznetsova) on 2014-09-19

Changed in mistral:
status:	New → Confirmed
importance:	Undecided → Critical

Revision history for this message

Anastasia Kuznetsova (akuznetsova) wrote on 2014-09-19:

Passwords or any other security information that can be imported in context via CLI are showing in mistral log and mistral dashboard too.

Anastasia Kuznetsova (akuznetsova) on 2014-09-19

Changed in mistral:
importance:	Critical → High

Anastasia Kuznetsova (akuznetsova) on 2014-09-25

Changed in mistral:
milestone:	none → 0.2

Nikolay Makhotkin (nmakhotkin) on 2014-09-26

Changed in mistral:
milestone:	0.2 → 0.1.1

Renat Akhmerov (rakhmerov) on 2014-10-24

Changed in mistral:
milestone:	0.1.1 → 0.2

Sirisha Devineni (sirisha-devineni) on 2014-12-04

Changed in mistral:
assignee:	nobody → Sirisha Devineni (sirisha-devineni)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-12-08: Fix proposed to mistral (master)

Fix proposed to branch: master
Review: https://review.openstack.org/139936

Changed in mistral:
status:	Confirmed → In Progress

Renat Akhmerov (rakhmerov) on 2014-12-17

Changed in mistral:
milestone:	kilo-1 → kilo-2

Revision history for this message

Dmitri Zimine (i-dz) wrote on 2015-01-26: Re: Security issue: passwords are not hidden in logs

Renat said on the comment:
>>>
Honestly, what mask_password() method does doesn't seem 1) obvious because there's no clear documentation on it 2) reliable enough for all situations we may have. I also would like to see some testing for that (I think it's possible to do if we apply some mocking testing etc.)
Generally, I would suggest that we create a special utility class Password with string representation like "****". And whenever we need to get a real value we will call a method get_value() or something like that.
Thoughts?
>>>

The other use case for passwords is passing them as parameters via environment __env, or workflow parameters.
We may also want to mask them in the DB: else the task context will be inspected and passwords exposed via API.

Renat Akhmerov (rakhmerov) on 2015-02-06

Changed in mistral:
milestone:	kilo-2 → kilo-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-17: Change abandoned on mistral (master)

Change abandoned by Renat Akhmerov (<email address hidden>) on branch: master
Review: https://review.openstack.org/139936
Reason: Obsolete and almost impossible to rebase.

Renat Akhmerov (rakhmerov) on 2015-05-07

no longer affects:

mistral/kilo

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-07-30: Fix proposed to mistral (master)

Fix proposed to branch: master
Review: https://review.openstack.org/207348

Changed in mistral:
status:	Confirmed → In Progress

Revision history for this message

Renat Akhmerov (rakhmerov) wrote on 2015-09-11: Re: Security issue: passwords are not hidden in logs

Here's my strong opinion about this ticket and some ideas of how we could address it.

* Any solutions based on guessing (any kinds of patterns etc.) what is secure information and what's not won't work out. Just because it's security and this is not a secure approach by definition.

Below are my ideas of how we could address it.

Client-side

An example of input data that we provide to Mistral in JSON format:
{
"secure_key^&": {
"key1": { "_secured": 1 },
"key2": 2,
"key3: 3
}
}

So whenever we need to make something secure we just wrap a corresponding value with {"_secure": value} (we can use a different marker if needed). So the client knows that it needs to be passed to the server as a secure piece of information.

Server-side:

* We create a special data type (class SecuredData or Password) that has a string representation "*****"
* JSON SQLAlchemy type must account for this class and encode/decode info behind this class instances so that we don't keep passwords and other secure things in their original form in DB
* Every time we request a info via API we give only its string representation which is "*****"
* Every time in the server when we need to get a real value (to pass it to executor etc.) we extract a real value (i.e. using get_value() method)

Renat Akhmerov (rakhmerov) on 2015-09-14

summary:

- Security issue: passwords are not hidden in logs
+ Security issue: user secure info is not protected properly (logs, API,
+ DB)

Renat Akhmerov (rakhmerov) on 2015-09-16

no longer affects:	mistral/liberty
Changed in mistral:
importance:	Critical → Undecided
milestone:	liberty-rc1 → none
assignee:	Lingxian Kong (kong) → nobody

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-18: Change abandoned on mistral (master)

Change abandoned by Lingxian Kong (<email address hidden>) on branch: master
Review: https://review.openstack.org/207348
Reason: Should find a generic way to fix the security problem, need more discussion with mistral team.

Renat Akhmerov (rakhmerov) on 2016-05-05

no longer affects:

mistral/mitaka

Revision history for this message

Renat Akhmerov (rakhmerov) wrote on 2017-02-14: Re: Security issue: user secure info is not protected properly (logs, API, DB)

We can work with the ossp (openstack security project) to get a ossn security note, such as https://wiki.openstack.org/wiki/OSSN/OSSN-0052

Changed in mistral:
status:	New → Confirmed
importance:	Undecided → High
milestone:	none → pike-1

Revision history for this message

Renat Akhmerov (rakhmerov) wrote on 2017-02-14:

this is the nova attempt at fixing a similar issue: https://review.openstack.org/#/c/220622

Revision history for this message

Summer Long (slong-g) wrote on 2017-02-20:

#10

Heat's patch for the same issue (at debug level): https://bugs.launchpad.net/heat/+bug/1664792

Renat Akhmerov (rakhmerov) on 2017-03-09

description:	updated
summary:	- Security issue: user secure info is not protected properly (logs, API, - DB) + User sensitive info is not protected properly

Renat Akhmerov (rakhmerov) on 2017-03-09

description:

updated

Renat Akhmerov (rakhmerov) on 2017-03-09

description:

updated

Renat Akhmerov (rakhmerov) on 2017-04-13

Changed in mistral:
milestone:	pike-1 → pike-2

Dougal Matthews (d0ugal) on 2017-04-18

Changed in mistral:
assignee:	nobody → Brad P. Crochet (brad-9)

Renat Akhmerov (rakhmerov) on 2017-06-08

Changed in mistral:
milestone:	pike-2 → pike-3

Renat Akhmerov (rakhmerov) on 2017-07-27

Changed in mistral:
milestone:	pike-3 → queens-1

Brad P. Crochet (brad-9) on 2017-08-23

Changed in mistral:
assignee:	Brad P. Crochet (brad-9) → nobody

Renat Akhmerov (rakhmerov) on 2017-11-16

Changed in mistral:
milestone:	queens-1 → queens-3

Renat Akhmerov (rakhmerov) on 2018-01-30

Changed in mistral:
milestone:	queens-3 → rocky-2

Dougal Matthews (d0ugal) on 2018-06-07

Changed in mistral:
milestone:	rocky-2 → none

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1664470

You are

Subscribing...

Edit bug mail

Other bug subscribers

Related blueprints

Securing Sensitive Data

Remote bug watches

Bug watches keep track of this bug in other bug trackers.