[openstack-dev] [cinder] CHAP secret is visible in cinder volume log
Hi,
I am wondering why screen-c-vol.log is displaying the CHAP secret.
Logs:
2015-04-16 16:04:23.288 7306 DEBUG oslo_concurrency.processutils
[req-23c699df-7b21-48d2-ba14-d8ed06642050 ce8dccba9ccf48fb956060b3e54187a2
4ad219788df049e0b131e17f603d5faa - - -] CMD sudo cinder-rootwrap
/etc/cinder/rootwrap.conf iscsiadm -m node -T
iqn.2015-04.acc1.tsm1:acc171fe6fc15fcc4bd4a841594b7876e3df -p
192.10.44.48:3260 --op update -n* node.session.auth.password -v ***
returned:* 0 in 0.088s execute
/usr/local/lib/python2.7/dist-packages/oslo_concurrency/processutils.py:225
Above log hides the secret.
2015-04-16 16:04:23.290 7306 DEBUG cinder.brick.initiator.connector
[req-23c699df-7b21-48d2-ba14-d8ed06642050 ce8dccba9ccf48fb956060b3e54187a2
4ad219788df049e0b131e17f603d5faa - - -] *iscsiadm ('--op', 'update', '-n',
'node.session.auth.password', '-v', u'fakeauthgroupchapsecret')*: stdout=
stderr= _run_iscsiadm
/opt/stack/cinder/cinder/brick/initiator/connector.py:455
However, this one does not hide the secret.
In addition, i find that the CHAP credentials are stored as plain string
the database table (volumes).
I guess these are security risks in the current implementation. Any
comments ?
Regards,
Yogesh
*CloudByte Inc.* http://www.cloudbyte.com/
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [cinder] CHAP secret is visible in cinder volume log
Hi All,
Thanks for your comments, due to time zone difference i was not able to
interact.
Regards,
Yogesh
*CloudByte Inc.* http://www.cloudbyte.com/
On Thu, Apr 16, 2015 at 11:19 PM, Mike Perez thin...@gmail.com wrote:
On 09:41 Apr 16, Mike Perez wrote:
On 18:24 Apr 16, Yogesh Prasad wrote:
Hi,
I am wondering why screen-c-vol.log is displaying the CHAP secret.
Logs:
2015-04-16 16:04:23.288 7306 DEBUG oslo_concurrency.processutils
[req-23c699df-7b21-48d2-ba14-d8ed06642050
ce8dccba9ccf48fb956060b3e54187a2
4ad219788df049e0b131e17f603d5faa - - -] CMD sudo cinder-rootwrap
/etc/cinder/rootwrap.conf iscsiadm -m node -T
iqn.2015-04.acc1.tsm1:acc171fe6fc15fcc4bd4a841594b7876e3df -p
192.10.44.48:3260 --op update -n* node.session.auth.password -v ***
returned:* 0 in 0.088s execute
/usr/local/lib/python2.7/dist-packages/oslo_concurrency/processutils.py:225
Above log hides the secret.
2015-04-16 16:04:23.290 7306 DEBUG cinder.brick.initiator.connector
[req-23c699df-7b21-48d2-ba14-d8ed06642050
ce8dccba9ccf48fb956060b3e54187a2
4ad219788df049e0b131e17f603d5faa - - -] *iscsiadm ('--op', 'update',
'-n',
'node.session.auth.password', '-v', u'fakeauthgroupchapsecret')*:
stdout=
stderr= _run_iscsiadm
/opt/stack/cinder/cinder/brick/initiator/connector.py:455
However, this one does not hide the secret.
This is is specifically happening in oslo_concurrency lib. We could add
'v' to
the sanitize_keys in oslo_utils.strutils, but that seems a bit weird. I'm
waiting for someone to get back to me #openstack-oslo on how to best
deal with
this.
Duh thanks Walt.
https://review.openstack.org/174484
https://review.openstack.org/174485
--
Mike Perez
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [devstack] [IceHouse] Install prettytable=0.7 to satisfy pip 6/PEP 440
Hi Stackers, I observe that this commit is present in master branch. commit 6ec66bb3d1354062ec70be972dba990e886084d5 Install prettytable=0.7 to satisfy pip 6/PEP 440 ... However, I am facing the issues due to PEP 440 in devstack's stable/icehouse branch. Is devstack icehouse still maintained ? In other words will these fixes get into icehouse branch ? Regards, Yogesh *CloudByte Inc.* http://www.cloudbyte.com/ ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [cinder] volume creation faild.
Hi All,
I have a devstack setup , and i am trying to create a volume but it is
creating with error status.
Can any one tell me what is the problem?
Screen logs --
.py:297
2014-06-26 17:37:04.370 DEBUG keystone.notifications [-] CADF Event:
{'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event', 'initiator':
{'typeURI': 'service/security/account/user', 'host': {'agent':
'python-keystoneclient', 'address': '20.10.22.245'}, 'id':
'openstack:d58d5688-f604-4362-9069-8cb217c029c8', 'name':
u'6fcd84d16da646dc825411da06bf26b2'}, 'target': {'typeURI':
'service/security/account/user', 'id':
'openstack:85ef43dd-b0ab-4726-898e-36107b06a231'}, 'observer': {'typeURI':
'service/security', 'id':
'openstack:120866e8-51b9-4338-b41b-2dbea3aa4f17'}, 'eventType': 'activity',
'eventTime': '2014-06-26T12:07:04.368547+', 'action': 'authenticate',
'outcome': 'success', 'id':
'openstack:dda01da7-1274-4b4f-8ff5-1dcdb6d80ff4'} from (pid=7033)
_send_audit_notification /opt/stack/keystone/keystone/notifications.py:297
2014-06-26 17:37:04.902 INFO eventlet.wsgi.server [-] 20.10.22.245 - -
[26/Jun/2014 17:37:04] POST /v2.0//tokens HTTP/1.1 200 6913 0.771471
2014-06-26 17:37:04.992 DEBUG keystone.middleware.core [-] RBAC:
auth_context: {'is_delegated_auth': False, 'user_id':
u'27353284443e43278600949a1467c65f', 'roles': [u'admin', u'_member_'],
'trustee_id': None, 'trustor_id': None, 'project_id':
u'e19957e0d69c4bfc9a9f872a2fcee1a3', 'trust_id': None} from (pid=7033)
process_request /opt/stack/keystone/keystone/middleware/core.py:286
2014-06-26 17:37:05.009 DEBUG keystone.common.wsgi [-] arg_dict: {} from
(pid=7033) __call__ /opt/stack/keystone/keystone/common/wsgi.py:181
2014-06-26 17:37:05.023 DEBUG keystone.common.controller [-] RBAC:
Authorizing identity:revocation_list() from (pid=7033)
_build_policy_check_credentials
/opt/stack/keystone/keystone/common/controller.py:54
2014-06-26 17:37:05.027 DEBUG keystone.common.controller [-] RBAC: using
auth context from the request environment from (pid=7033)
_build_policy_check_credentials
/opt/stack/keystone/keystone/common/controller.py:59
2014-06-26 17:37:05.033 DEBUG keystone.policy.backends.rules [-] enforce
identity:revocation_list: {'is_delegated_auth': False, 'user_id':
u'27353284443e43278600949a1467c65f', 'roles': [u'admin', u'_member_'],
'trustee_id': None, 'trustor_id': None, 'project_id':
u'e19957e0d69c4bfc9a9f872a2fcee1a3', 'trust_id': None} from (pid=7033)
enforce /opt/stack/keystone/keystone/policy/backends/rules.py:101
2014-06-26 17:37:05.040 DEBUG keystone.openstack.common.policy [-] Rule
identity:revocation_list will be now enforced from (pid=7033) enforce
/opt/stack/keystone/keystone/openstack/common/policy.py:288
2014-06-26 17:37:05.043 DEBUG keystone.common.controller [-] RBAC:
Authorization granted from (pid=7033) inner
/opt/stack/keystone/keystone/common/controller.py:151
2014-06-26 17:37:05.228 INFO eventlet.wsgi.server [-] 20.10.22.245 - -
[26/Jun/2014 17:37:05] GET /v2.0/tokens/revoked HTTP/1.1 200 815 0.277525
--
*Thanks Regards*,
Yogesh Prasad.
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [cinder] volume creation failed.
Hi,
I have a devstack setup.
Please tell me, how i can create separate log file for each type of logs.
like cinder-api, cinder-scheduler and cinder-volume logs.
On Thu, Jun 26, 2014 at 5:49 PM, Duncan Thomas duncan.tho...@gmail.com
wrote:
I'm afraid that isn't the log we need to diagnose your problem. Can
you put cinder-api, cinder-scheduler and cinder-volume logs up please?
On 26 June 2014 13:12, Yogesh Prasad yogesh.pra...@cloudbyte.com wrote:
Hi All,
I have a devstack setup , and i am trying to create a volume but it is
creating with error status.
Can any one tell me what is the problem?
Screen logs --
.py:297
2014-06-26 17:37:04.370 DEBUG keystone.notifications [-] CADF Event:
{'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event',
'initiator':
{'typeURI': 'service/security/account/user', 'host': {'agent':
'python-keystoneclient', 'address': '20.10.22.245'}, 'id':
'openstack:d58d5688-f604-4362-9069-8cb217c029c8', 'name':
u'6fcd84d16da646dc825411da06bf26b2'}, 'target': {'typeURI':
'service/security/account/user', 'id':
'openstack:85ef43dd-b0ab-4726-898e-36107b06a231'}, 'observer':
{'typeURI':
'service/security', 'id':
'openstack:120866e8-51b9-4338-b41b-2dbea3aa4f17'},
'eventType': 'activity', 'eventTime': '2014-06-26T12:07:04.368547+',
'action': 'authenticate', 'outcome': 'success', 'id':
'openstack:dda01da7-1274-4b4f-8ff5-1dcdb6d80ff4'} from (pid=7033)
_send_audit_notification
/opt/stack/keystone/keystone/notifications.py:297
2014-06-26 17:37:04.902 INFO eventlet.wsgi.server [-] 20.10.22.245 - -
[26/Jun/2014 17:37:04] POST /v2.0//tokens HTTP/1.1 200 6913 0.771471
2014-06-26 17:37:04.992 DEBUG keystone.middleware.core [-] RBAC:
auth_context: {'is_delegated_auth': False, 'user_id':
u'27353284443e43278600949a1467c65f', 'roles': [u'admin', u'_member_'],
'trustee_id': None, 'trustor_id': None, 'project_id':
u'e19957e0d69c4bfc9a9f872a2fcee1a3', 'trust_id': None} from (pid=7033)
process_request /opt/stack/keystone/keystone/middleware/core.py:286
2014-06-26 17:37:05.009 DEBUG keystone.common.wsgi [-] arg_dict: {} from
(pid=7033) __call__ /opt/stack/keystone/keystone/common/wsgi.py:181
2014-06-26 17:37:05.023 DEBUG keystone.common.controller [-] RBAC:
Authorizing identity:revocation_list() from (pid=7033)
_build_policy_check_credentials
/opt/stack/keystone/keystone/common/controller.py:54
2014-06-26 17:37:05.027 DEBUG keystone.common.controller [-] RBAC: using
auth context from the request environment from (pid=7033)
_build_policy_check_credentials
/opt/stack/keystone/keystone/common/controller.py:59
2014-06-26 17:37:05.033 DEBUG keystone.policy.backends.rules [-] enforce
identity:revocation_list: {'is_delegated_auth': False, 'user_id':
u'27353284443e43278600949a1467c65f', 'roles': [u'admin', u'_member_'],
'trustee_id': None, 'trustor_id': None, 'project_id':
u'e19957e0d69c4bfc9a9f872a2fcee1a3', 'trust_id': None} from (pid=7033)
enforce /opt/stack/keystone/keystone/policy/backends/rules.py:101
2014-06-26 17:37:05.040 DEBUG keystone.openstack.common.policy [-] Rule
identity:revocation_list will be now enforced from (pid=7033) enforce
/opt/stack/keystone/keystone/openstack/common/policy.py:288
2014-06-26 17:37:05.043 DEBUG keystone.common.controller [-] RBAC:
Authorization granted from (pid=7033) inner
/opt/stack/keystone/keystone/common/controller.py:151
2014-06-26 17:37:05.228 INFO eventlet.wsgi.server [-] 20.10.22.245 - -
[26/Jun/2014 17:37:05] GET /v2.0/tokens/revoked HTTP/1.1 200 815
0.277525
--
Thanks Regards,
Yogesh Prasad.
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Duncan Thomas
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
*Thanks Regards*,
Yogesh Prasad.
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [cinder][volume/manager.py] volume driver mapping
Hi All, I am observing a bit difference in manager.py file between these branches stable/icehouse and master. In stable/icehouse various driver mapped in manager.py but it is not in master. Please guide me, where i have to map my driver. *Thanks Regards*, Yogesh Prasad. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [cinder] set default cinder driver
Hi All, I have devstack setup and i want to put my cinder driver as a default driver. How i can do this? please guide. -- *Thanks Regards*, Yogesh Prasad. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [cinder] set default cinder driver
Hi Lvan, Thanks for reply, but i am still facing same problem. I have tried all of these - 1) Inside /etc/cinder/cinder.conf [DEFAULT] volume_driver=cinder.volume.drivers.cloudbyte.ElasticenterISCSIDriver and ran below script ./rejoin-stack.sh 2) Inside /devstack/local.conf [[post-config|$CINDER_CONF]] volume_driver = cinder.volume.cloudbyte.ElasticenterISCSIDriver and ran below script ./rejoin-stack.sh 3) Inside /devstack/local.conf [[local|localrc]] CINDER_DRIVER=cinder.volume.drivers.cloudbyte.ElasticenterISCSIDriver and ran below script ./rejoin-stack.sh 4) Inside /devstack/local.conf volume_driver = cinder.volume.drivers.cloudbyte.ElasticenterISCSIDriver and ran below script ./rejoin-stack.sh But it is not working. In addition, what is the py file that reads localrc ? On Mon, Jun 23, 2014 at 2:14 PM, Ivan Kolodyazhny e...@e0ne.info wrote: Hi Yogesh, You need to set CINDER_DRIVER variable in your localrc file Regards, Ivan Kolodyazhny, Software Engineer, Mirantis, Inc. On Mon, Jun 23, 2014 at 10:38 AM, Yogesh Prasad yogesh.pra...@cloudbyte.com wrote: Hi All, I have devstack setup and i want to put my cinder driver as a default driver. How i can do this? please guide. -- *Thanks Regards*, Yogesh Prasad. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- *Thanks Regards*, Yogesh Prasad. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [all] Juno setup
Hi All I want to create a juno setup. Please guide me through any links or processes that needs to be followed to have this setup. *Thanks Regards*, Yogesh Prasad. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [cinder] Minimum Driver Features for juno
Hi All, Please tell me what are the minimum Driver Features for juno release. -- *Thanks Regards*, Yogesh Prasad. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Unit-test] Cinder Driver
Hi All, I have developed a cinder driver. Can you please share the steps to create an unit test environment and how to run unit test? *Thanks Regards*, Yogesh Prasad. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
