I went ahead and filed a bug, and I have 2 fixes posted up already that
mirror's how nova fixed this issue in the libvirt volume driver for iSCSI.
https://bugs.launchpad.net/os-brick/+bug/1445137
Walt
On 04/16/2015 05:54 AM, Yogesh Prasad wrote:
Hi,
I am wondering why screen-c-vol.log is displaying the CHAP secret.
Logs:
2015-04-16 16:04:23.288 7306 DEBUG oslo_concurrency.processutils
[req-23c699df-7b21-48d2-ba14-d8ed06642050
ce8dccba9ccf48fb956060b3e54187a2 4ad219788df049e0b131e17f603d5faa - -
-] CMD "sudo cinder-rootwrap /etc/cinder/rootwrap.conf iscsiadm -m
node -T iqn.2015-04.acc1.tsm1:acc171fe6fc15fcc4bd4a841594b7876e3df -p
192.10.44.48:3260 <http://192.10.44.48:3260> --op update
-n*node.session.auth.password -v ***" returned:* 0 in 0.088s execute
/usr/local/lib/python2.7/dist-packages/oslo_concurrency/processutils.py:225
Above log hides the secret.
2015-04-16 16:04:23.290 7306 DEBUG cinder.brick.initiator.connector
[req-23c699df-7b21-48d2-ba14-d8ed06642050
ce8dccba9ccf48fb956060b3e54187a2 4ad219788df049e0b131e17f603d5faa - -
-] *iscsiadm ('--op', 'update', '-n', 'node.session.auth.password',
'-v', u'fakeauthgroupchapsecret')*: stdout= stderr= _run_iscsiadm
/opt/stack/cinder/cinder/brick/initiator/connector.py:455
However, this one does not hide the secret.
In addition, i find that the CHAP credentials are stored as plain
string the database table (volumes).
I guess these are security risks in the current implementation. Any
comments ?
Regards,
Yogesh
/CloudByte Inc./ <http://www.cloudbyte.com/>
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
