cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Prasanna Santhanam (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-3274) Object_store_refactor: secretkey and accesskey of the backing store is found in plaintext in the logs
Date Thu, 18 Jul 2013 17:34:55 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-3274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13712538#comment-13712538
] 

Prasanna Santhanam commented on CLOUDSTACK-3274:
------------------------------------------------

I think it's the GET request that I saw that lead me to believe this was showing in the logs
which it is btw. so it's up to you how you want to handle this. I've sanitize the request
here but the secret key and access key print as is from the request. I haven't set up SSL
to see how this comes over https but likely it comes as is:

2013-07-18 23:02:06,249 DEBUG [cloud.api.ApiServlet] (455888271@qtp-999479248-0:null) ===START===
 127.0.0.1 -- GET  details%5B2%5D.key=usehttps&details%5B3%5D.value=ACCESS_KEY&details%5B7%5D.key=connectiontimeout&details%5B6%5D.value=s3.amazonaws.com&signature=5hCDaRnDcXSlxkUylUttTOBm83g%3D&details%5B4%5D.key=bucket&details%5B1%5D.value=acstest-objectstore&apiKey=XYCeMPDvb_WdHeivKt8vxI3pXTOeHNKlfucrquIFGzMBq3GBdlyOEpkKs-3J3fl3bqKZlBoVZSO9WKIipuzGpg&details%5B8%5D.value=objectstore&details%5B5%5D.value=SECRET_KEY&details%5B7%5D.value=300000&response=json&details%5B8%5D.key=__name__&details%5B2%5D.value=true&details%5B6%5D.key=endpoint&details%5B0%5D.value=0&details%5B4%5D.value=acstest.cloudstack.org&details%5B1%5D.key=name&details%5B5%5D.key=secretkey&details%5B3%5D.key=accesskey&provider=S3&command=addImageStore&details%5B0%5D.key=maxerrorretry

                
> Object_store_refactor: secretkey and accesskey of the backing store is found in plaintext
in the logs
> -----------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-3274
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3274
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Storage Controller
>    Affects Versions: 4.2.0
>            Reporter: Prasanna Santhanam
>            Assignee: Min Chen
>            Priority: Critical
>             Fix For: 4.2.0
>
>
> Should we be printing the s3 store credentials in the logs in plaintext? Can it be sanitized?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message