** Changed in: nova
Status: Confirmed => Fix Released
** Changed in: ossa
Status: Confirmed => Fix Released
** Changed in: oslo.messaging
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2030976
Title:
oslo notifications sending sensitive tokens
Status in Ironic:
Fix Released
Status in OpenStack Compute (nova):
Fix Released
Status in oslo.messaging:
Fix Released
Status in OpenStack Security Advisory:
Fix Released
Bug description:
Hi,
I have configured an OpenStack deployment to send Ironic service
notifications using oslo_messaging_notifications[1] and noticed that
Keystone tokens are being sent in the
['oslo.message']['_context_auth_token'] field of the message payload.
- I have confirmed that auth token is leaked using both a Kafka and RabbitMQ
backed
- I have also confirmed that both messaging and messagingv2 options under
oslo_messaging_notifications.driver are impacted[2]
- I am using the Victoria version of Openstack and I have not confirmed if
this has been patched on newer versions
1) https://docs.openstack.org/ironic/latest/admin/notifications.html
2) https://docs.openstack.org/ironic/victoria/configuration/sample-config.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ironic/+bug/2030976/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
