[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1664723] Change abandoned on trove (master)

Change abandoned by Trevor McCasland (TM2086 at att.com) on branch: master
Review: https://review.openstack.org/454205

You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.

  replication_slave user and passwords exposed in logging

Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack DBaaS (Trove):
  In Progress

Bug description:
  Currently the passwords and usernames for trove's replciation_user in
  pxc and percona configuration options are exposed in the logger.

  Mysql already has secret=True for their configuration options.

  This patch extends that to all of the other database configuration
  options using oslo.config.cfg.Opt option secret [1].

  See output below for exact logs:

  tr-api.log.2017-02-14-095217:2017-02-14 10:21:58.628 DEBUG
  oslo_service.service [-] percona.replication_password   =
  NETOU7897NNLOU from (pid=684) log_opt_values /usr/local/lib/python2.7

  tr-api.log.2017-02-14-095217:2017-02-14 10:21:58.628 DEBUG oslo_service.service [-] percona.replication_user       = slave_user from (pid=684) log_opt_values /usr/local/lib/python2.7/dist-packages/oslo_config/cfg.py:2744
  tr-api.log.2017-02-14-095217:2017-02-14 10:21:58.636 DEBUG oslo_service.service [-] pxc.replication_user           = slave_user from (pid=684) log_opt_values /usr/local/lib/python2.7/dist-packages/oslo_config/cfg.py:2744

  [1] http://docs.openstack.org/developer/oslo.config/cfg.html

To manage notifications about this bug go to: