[Yahoo-eng-team] [Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled
For Bandit I'm marking "Won't fix": Offending code is: LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', { 'action': action, 'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])}) There's no indication of what the kwargs are, so without a runtime integration (tainting) or symbolic execution this is not realistic to pick up. At the call sites the kwargs are not a literal dict, but rather values from up the call chain, so not easy to analyse. It would be great to pick this up, but it's way out of reach for the engine currently or in reasonable future. ** Changed in: bandit Status: New => Won't Fix ** Changed in: bandit Importance: Undecided => Wishlist -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1465922 Title: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled Status in Bandit: Won't Fix Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Identity (keystone) juno series: Fix Released Status in OpenStack Identity (keystone) kilo series: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: grep CLEARTEXTPASSWORD keystone.log 2015-06-16 06:44:39.770 20986 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:create_user(user={u'domain_id': u'default', u'password': u'CLEARTEXTPASSWORD', u'enabled': True, u'default_project_id': u'0175b43419064ae38c4b74006baaeb8d', u'name': u'DermotJ'}) _build_policy_check_credentials /usr/lib/python2.7/site- packages/keystone/common/controller.py:57 Issue code: https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L57 LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', { 'action': action, 'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])}) Shadow the values of sensitive fields like 'password' by some meaningless garbled text like "X" is one way to fix. Well, in addition to this, I think we should never pass the 'password' with its original value along the code and save it in any persistence, instead we should convert it to a strong hash value as early as possible. With the help of a good hash system, we never have to need the original value of the password, right? To manage notifications about this bug go to: https://bugs.launchpad.net/bandit/+bug/1465922/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1258166] [NEW] N310 check recommends function that doesn't exist
Public bug reported: Check N310 can return "N310 timeutils.now() must be used instead of datetime.now()", but timeutils.now() does not exist. Only utcnow() does. ** Affects: nova Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1258166 Title: N310 check recommends function that doesn't exist Status in OpenStack Compute (Nova): New Bug description: Check N310 can return "N310 timeutils.now() must be used instead of datetime.now()", but timeutils.now() does not exist. Only utcnow() does. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1258166/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1257405] [NEW] Not checking image format produces lots of useless messages
Public bug reported: The code for resizing partitionless images goes with the "tell, don't ask" idea and attempts to run extfs / mount utilities on an image even though they may fail. This produces lots of useless messages during the instance preparation, like these: 2013-11-21 06:45:07 20902 DEBUG nova.virt.disk.mount.api [req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] Failed to mount filesystem: Unexpected error while running command. Command: sudo nova-rootwrap /etc/nova/rootwrap.conf mount /dev/nbd8 /tmp/openstack-vfs-localfsSz6ylg Exit code: 32 Stdout: '' Stderr: 'mount: you must specify the filesystem type\n' mnt_dev /usr/lib/python2.7/dist-packages/nova/virt/disk/mount/api.py:198 2013-11-21 06:45:07 20902 DEBUG nova.virt.disk.mount.api [req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] Fail to mount, tearing back down do_mount /usr/lib/python2.7/dist-packages/nova/virt/disk/mount/api.py:219 2013-11-21 06:45:07 20902 DEBUG nova.virt.disk.mount.api [req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] Unmap dev /dev/nbd8 unmap_dev /usr/lib/python2.7/dist-packages/nova/virt/disk/mount/api.py:184 2013-11-21 06:45:07 20902 DEBUG nova.virt.disk.mount.nbd [req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] Release nbd device /dev/nbd8 unget_dev /usr/lib/python2.7/dist-packages/nova/virt/disk/mount/nbd.py:128 2013-11-21 06:45:07 20902 DEBUG nova.openstack.common.processutils [req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] Running cmd (subprocess): sudo nova-rootwrap /etc/nova/rootwrap.conf qemu-nbd -d /dev/nbd8 execute /usr/lib/python2.7/dist-packages/nova/openstack/common/processutils.py:147 2013-11-21 06:45:07 20902 DEBUG nova.virt.disk.vfs.localfs [req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] Failed to mount image Failed to mount filesystem: Unexpected error while running command. Command: sudo nova-rootwrap /etc/nova/rootwrap.conf mount /dev/nbd8 /tmp/openstack-vfs-localfsSz6ylg Exit code: 32 Stdout: '' Stderr: 'mount: you must specify the filesystem type\n') setup /usr/lib/python2.7/dist-packages/nova/virt/disk/vfs/localfs.py:83 2013-11-21 06:45:07 20902 DEBUG nova.virt.disk.api [req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] Unable to mount image /var/lib/nova/instances/5159cff0-91f6-4521-a0be-d74ce4f81fad/disk with error Failed to mount filesystem: Unexpected error while running command. Command: sudo nova-rootwrap /etc/nova/rootwrap.conf mount /dev/nbd8 /tmp/openstack-vfs-localfsSz6ylg Exit code: 32 Stdout: '' Stderr: 'mount: you must specify the filesystem type\n'. Cannot resize. is_image_partitionless /usr/lib/python2.7/dist-packages/nova/virt/disk/api.py:191 This could be fixed by doing a simple check on the the image itself to pick up the magic signature. This would allow to skip e2resize on non- extfs files and simple mounting on partitioned images without the error messages. ** Affects: nova Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1257405 Title: Not checking image format produces lots of useless messages Status in OpenStack Compute (Nova): New Bug description: The code for resizing partitionless images goes with the "tell, don't ask" idea and attempts to run extfs / mount utilities on an image even though they may fail. This produces lots of useless messages during the instance preparation, like these: 2013-11-21 06:45:07 20902 DEBUG nova.virt.disk.mount.api [req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] Failed to mount filesystem: Unexpected error while running command. Command: sudo nova-rootwrap /etc/nova/rootwrap.conf mount /dev/nbd8 /tmp/openstack-vfs-localfsSz6ylg Exit code: 32 Stdout: '' Stderr: 'mount: you must specify the filesystem type\n' mnt_dev /usr/lib/python2.7/dist-packages/nova/virt/disk/mount/api.py:198 2013-11-21 06:45:07 20902 DEBUG nova.virt.disk.mount.api [req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] Fail to mount, tearing back down do_mount /usr/lib/python2.7/dist-packages/nova/virt/disk/mount/api.py:219 2013-11-21 06:45:07 20902 DEBUG nova.virt.disk.mount.api [req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] Unmap dev /dev/nbd8 unmap_dev /usr/lib/python2.7/dist-packages/nova/virt/disk/mount/api.py:184 2013-11-21 06:45:07 20902 DEBUG nova.virt.disk.mount.nbd [req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] Release nbd device /dev/nbd8 unget_dev /usr/lib/python2.7/dist-packages/nova/virt/disk/mount/nbd.py:128 2013-11-21 06:45:07 20902 DEBUG nova.openstack.common.processutils [req-939d5d50-25ea-4f7a-8882-a880b9671e47 10873781609182 10816527907643] Running