from:"Stanislaw Pitucha"

[Yahoo-eng-team] [Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled

2016-01-03 Thread Stanislaw Pitucha

For Bandit I'm marking "Won't fix":
Offending code is:

LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
'action': action,
'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})

There's no indication of what the kwargs are, so without a runtime
integration (tainting) or symbolic execution this is not realistic to
pick up. At the call sites the kwargs are not a literal dict, but rather
values from up the call chain, so not easy to analyse.

It would be great to pick this up, but it's way out of reach for the
engine currently or in reasonable future.

** Changed in: bandit
   Status: New => Won't Fix

** Changed in: bandit
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1465922

Title:
  Password visible in clear text in keystone.log when user created and
  keystone debug logging is enabled

Status in Bandit:
  Won't Fix
Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) juno series:
  Fix Released
Status in OpenStack Identity (keystone) kilo series:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  grep CLEARTEXTPASSWORD keystone.log

  2015-06-16 06:44:39.770 20986 DEBUG keystone.common.controller [-]
  RBAC: Authorizing identity:create_user(user={u'domain_id': u'default',
  u'password': u'CLEARTEXTPASSWORD', u'enabled': True,
  u'default_project_id': u'0175b43419064ae38c4b74006baaeb8d', u'name':
  u'DermotJ'}) _build_policy_check_credentials /usr/lib/python2.7/site-
  packages/keystone/common/controller.py:57

  Issue code:
  
https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L57

  LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
  'action': action,
  'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})

  Shadow the values of sensitive fields like 'password' by some
  meaningless garbled text like "X" is one way to fix.

  Well, in addition to this, I think we should never pass the 'password'
  with its original value along the code and save it in any persistence,
  instead we should convert it to a strong hash value as early as
  possible. With the help of a good hash system, we never have to need
  the original value of the password, right?

To manage notifications about this bug go to:
https://bugs.launchpad.net/bandit/+bug/1465922/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1258166] [NEW] N310 check recommends function that doesn't exist

2013-12-05 Thread Stanislaw Pitucha

Public bug reported:

Check N310 can return "N310  timeutils.now() must be used instead of
datetime.now()", but timeutils.now() does not exist. Only utcnow() does.

** Affects: nova
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1258166

Title:
  N310 check recommends function that doesn't exist

Status in OpenStack Compute (Nova):
  New

Bug description:
  Check N310 can return "N310  timeutils.now() must be used instead of
  datetime.now()", but timeutils.now() does not exist. Only utcnow()
  does.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1258166/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1257405] [NEW] Not checking image format produces lots of useless messages

2013-12-03 Thread Stanislaw Pitucha

Public bug reported:

The code for resizing partitionless images goes with the "tell, don't
ask" idea and attempts to run extfs / mount utilities on an image even
though they may fail. This produces lots of useless messages during the
instance preparation, like these:

2013-11-21 06:45:07 20902 DEBUG nova.virt.disk.mount.api 
[req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] Failed 
to mount filesystem: Unexpected error while running command.
Command: sudo nova-rootwrap /etc/nova/rootwrap.conf mount /dev/nbd8 
/tmp/openstack-vfs-localfsSz6ylg
Exit code: 32
Stdout: ''
Stderr: 'mount: you must specify the filesystem type\n' mnt_dev 
/usr/lib/python2.7/dist-packages/nova/virt/disk/mount/api.py:198
2013-11-21 06:45:07 20902 DEBUG nova.virt.disk.mount.api 
[req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] Fail 
to mount, tearing back down do_mount 
/usr/lib/python2.7/dist-packages/nova/virt/disk/mount/api.py:219
2013-11-21 06:45:07 20902 DEBUG nova.virt.disk.mount.api 
[req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] Unmap 
dev /dev/nbd8 unmap_dev 
/usr/lib/python2.7/dist-packages/nova/virt/disk/mount/api.py:184
2013-11-21 06:45:07 20902 DEBUG nova.virt.disk.mount.nbd 
[req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] 
Release nbd device /dev/nbd8 unget_dev 
/usr/lib/python2.7/dist-packages/nova/virt/disk/mount/nbd.py:128
2013-11-21 06:45:07 20902 DEBUG nova.openstack.common.processutils 
[req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] 
Running cmd (subprocess): sudo nova-rootwrap /etc/nova/rootwrap.conf qemu-nbd 
-d /dev/nbd8 execute 
/usr/lib/python2.7/dist-packages/nova/openstack/common/processutils.py:147
2013-11-21 06:45:07 20902 DEBUG nova.virt.disk.vfs.localfs 
[req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] Failed 
to mount image Failed to mount filesystem: Unexpected error while running 
command.
Command: sudo nova-rootwrap /etc/nova/rootwrap.conf mount /dev/nbd8 
/tmp/openstack-vfs-localfsSz6ylg
Exit code: 32
Stdout: ''
Stderr: 'mount: you must specify the filesystem type\n') setup 
/usr/lib/python2.7/dist-packages/nova/virt/disk/vfs/localfs.py:83
2013-11-21 06:45:07 20902 DEBUG nova.virt.disk.api 
[req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] Unable 
to mount image 
/var/lib/nova/instances/5159cff0-91f6-4521-a0be-d74ce4f81fad/disk with error 
Failed to mount filesystem: Unexpected error while running command.
Command: sudo nova-rootwrap /etc/nova/rootwrap.conf mount /dev/nbd8 
/tmp/openstack-vfs-localfsSz6ylg
Exit code: 32
Stdout: ''
Stderr: 'mount: you must specify the filesystem type\n'. Cannot resize. 
is_image_partitionless 
/usr/lib/python2.7/dist-packages/nova/virt/disk/api.py:191

This could be fixed by doing a simple check on the the image itself to
pick up the magic signature. This would allow to skip e2resize on non-
extfs files and simple mounting on partitioned images without the error
messages.

** Affects: nova
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1257405

Title:
  Not checking image format produces lots of useless messages

Status in OpenStack Compute (Nova):
  New

Bug description:
  The code for resizing partitionless images goes with the "tell, don't
  ask" idea and attempts to run extfs / mount utilities on an image even
  though they may fail. This produces lots of useless messages during
  the instance preparation, like these:

  2013-11-21 06:45:07 20902 DEBUG nova.virt.disk.mount.api 
[req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] Failed 
to mount filesystem: Unexpected error while running command.
  Command: sudo nova-rootwrap /etc/nova/rootwrap.conf mount /dev/nbd8 
/tmp/openstack-vfs-localfsSz6ylg
  Exit code: 32
  Stdout: ''
  Stderr: 'mount: you must specify the filesystem type\n' mnt_dev 
/usr/lib/python2.7/dist-packages/nova/virt/disk/mount/api.py:198
  2013-11-21 06:45:07 20902 DEBUG nova.virt.disk.mount.api 
[req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] Fail 
to mount, tearing back down do_mount 
/usr/lib/python2.7/dist-packages/nova/virt/disk/mount/api.py:219
  2013-11-21 06:45:07 20902 DEBUG nova.virt.disk.mount.api 
[req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] Unmap 
dev /dev/nbd8 unmap_dev 
/usr/lib/python2.7/dist-packages/nova/virt/disk/mount/api.py:184
  2013-11-21 06:45:07 20902 DEBUG nova.virt.disk.mount.nbd 
[req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] 
Release nbd device /dev/nbd8 unget_dev 
/usr/lib/python2.7/dist-packages/nova/virt/disk/mount/nbd.py:128
  2013-11-21 06:45:07 20902 DEBUG nova.openstack.common.processutils 
[req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] 
Running

[Yahoo-eng-team] [Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled

[Yahoo-eng-team] [Bug 1258166] [NEW] N310 check recommends function that doesn't exist

[Yahoo-eng-team] [Bug 1257405] [NEW] Not checking image format produces lots of useless messages

3 matches

Site Navigation

Mail list logo

Footer information