python-heatclient

heat CLI is passing raw username and password for stack-create stack-update and stack-preview

Bug #1408530 reported by Jamie Lennox on 2015-01-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	python-heatclient	Triaged	High	Unassigned

Bug Description

When using the CLI or the heatclient directly for every call to stack.create, stack.preview or stack.update the username and password are being transmitted in plaintext to heat as the X-Auth-User and X-Auth-Key headers.

This would seem like a hangover from before trusts being available and heat wanting to authenticate as the current user.

This behaviour ignores the --include-password cli flag.

Tags:

Angus Salkeld (asalkeld) on 2015-01-08

Changed in python-heatclient:
status:	New → Triaged
importance:	Undecided → High

Revision history for this message

Jamie Lennox (jamielennox) wrote on 2015-01-08:

0001-Don-t-send-username-and-password-in-headers.patch Edit (6.7 KiB, text/plain)

I think this will fix it and pass tests. I am having trouble running the local gate at the moment so i haven't done a full integration test.

Revision history for this message

Steve Baker (steve-stevebaker) wrote on 2015-01-10:

Using trusts for deferred operations is optionally configured by the cloud operator, so there will still be a requirement to sometimes send credentials. Also credentials always need to be sent when --os-no-client-auth is specified.

The method credentials_headers() should do the right thing, adding the credentials or not based on what flags are passed, if a change is needed then the patch should modify this method.

I'm not sure this would be a security bug if an SSL endpoint is assumed. Passing tokens on a non-encrypted endpoint would also be considered dangerous.

Revision history for this message

Jamie Lennox (jamielennox) wrote on 2015-01-12:

I understand that our tokens are also private, they are somewhat better than transmitting username and password all the time.

I'm ok if you want to mark this public - i just thought i should report it privately.

Jeremy Stanley (fungi) on 2020-02-28