qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "zhu zhu (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (QPID-5772) Security: after open debug log for qpid, python qpid client will print all information including sensitive data
Date Sun, 18 May 2014 04:49:14 GMT

     [ https://issues.apache.org/jira/browse/QPID-5772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

zhu zhu updated QPID-5772:
--------------------------

    Description: 
For example, logs as below. 

Is it possible to have Qpid to provide options/configurations to NOT print certain credential
fieds in the debug logs? It will benefit product security that are adopting QPID as amqp implementation.
 

Such as messaging/driver.py writeable, write method
rawlog.debug("SENT[%s]: %r", self.log_id, sent)
opslog.debug("RCVD[%s]: %r", self.log_id, op)
opslog.debug("SENT[%s]: %r", self.log_id, op)
log.debug("RACK[%s]: %s", sst.session.log_id, msg)
...
 
2014-05-15 04:07:07.756 19781 DEBUG qpid.messaging [-] SENT[3ae25a8]: Message(ttl=60, properties={'qpid.subject':
'topic/nova/conductor'}, content={'oslo.message': '{"_context_roles": ["_member_", "admin"],
"_msg_id": "7216c147b92048b38a779e0a37506edf", "_context_quota_class": null, "_context_request_id":
"req-4e6960a0-89e2-410b-b67c-2fcda1b526e2", "_context_service_catalog": [{"endpoints_links":
[], "endpoints": [{"adminURL": "http://9.123.137.154:8776/v1/c33546258c0a4733aa8eb56418df6438",
"region": "RegionOne", "publicURL": "http://9.123.137.154:8776/v1/c33546258c0a4733aa8eb56418df6438",
"internalURL": "http://9.123.137.154:8776/v1/c33546258c0a4733aa8eb56418df6438", "id": "165be0534de5425daed4ee40da0d2f47"}],
"type": "volume", "name": "cinder"}], "args": {"values": {"instance_uuid": "0b39e666-aa4e-4f54-89f8-2bc0f5d86e89",
"start_time": "2014-05-15T09:07:07.750051", "event": "compute_terminate_instance", "request_id":
"req-4e6960a0-89e2-410b-b67c-2fcda1b526e2"}}, "_unique_id": "e7392f1384134643bba0966088fcdaad",
"_context_user": "f36557892ea44962b8b6e9f1897f2605", "_context_user_id": "f36557892ea44962b8b6e9f1897f2605",
"_context_project_name": "service", "_context_read_deleted": "no", "_reply_q": "reply_02768c332dd445d79ce253efd75b32b8",
"_context_auth_token": "202cdaf88b284afeafbbc77dc10f9058", "_context_tenant": "c33546258c0a4733aa8eb56418df6438",
"_context_instance_lock_checked": false, "_context_is_admin": true, "version": "2.0", "_context_project_id":
"c33546258c0a4733aa8eb56418df6438", "_context_timestamp": "2014-05-15T09:07:07.482164", "_context_user_name":
"admin", "method": "action_event_start", "_context_remote_address": "9.123.137.154"}', 'oslo.version':
'2.0'}) send /usr/lib/python2.6/site-packages/qpid/messaging/driver.py:1283

> Security: after open debug log for qpid, python qpid client will print all information
including sensitive data
> ---------------------------------------------------------------------------------------------------------------
>
>                 Key: QPID-5772
>                 URL: https://issues.apache.org/jira/browse/QPID-5772
>             Project: Qpid
>          Issue Type: Bug
>          Components: Python Client
>            Reporter: zhu zhu
>              Labels: debuglog, security,
>
> For example, logs as below. 
> Is it possible to have Qpid to provide options/configurations to NOT print certain credential
fieds in the debug logs? It will benefit product security that are adopting QPID as amqp implementation.
 
> Such as messaging/driver.py writeable, write method
> rawlog.debug("SENT[%s]: %r", self.log_id, sent)
> opslog.debug("RCVD[%s]: %r", self.log_id, op)
> opslog.debug("SENT[%s]: %r", self.log_id, op)
> log.debug("RACK[%s]: %s", sst.session.log_id, msg)
> ...
>  
> 2014-05-15 04:07:07.756 19781 DEBUG qpid.messaging [-] SENT[3ae25a8]: Message(ttl=60,
properties={'qpid.subject': 'topic/nova/conductor'}, content={'oslo.message': '{"_context_roles":
["_member_", "admin"], "_msg_id": "7216c147b92048b38a779e0a37506edf", "_context_quota_class":
null, "_context_request_id": "req-4e6960a0-89e2-410b-b67c-2fcda1b526e2", "_context_service_catalog":
[{"endpoints_links": [], "endpoints": [{"adminURL": "http://9.123.137.154:8776/v1/c33546258c0a4733aa8eb56418df6438",
"region": "RegionOne", "publicURL": "http://9.123.137.154:8776/v1/c33546258c0a4733aa8eb56418df6438",
"internalURL": "http://9.123.137.154:8776/v1/c33546258c0a4733aa8eb56418df6438", "id": "165be0534de5425daed4ee40da0d2f47"}],
"type": "volume", "name": "cinder"}], "args": {"values": {"instance_uuid": "0b39e666-aa4e-4f54-89f8-2bc0f5d86e89",
"start_time": "2014-05-15T09:07:07.750051", "event": "compute_terminate_instance", "request_id":
"req-4e6960a0-89e2-410b-b67c-2fcda1b526e2"}}, "_unique_id": "e7392f1384134643bba0966088fcdaad",
"_context_user": "f36557892ea44962b8b6e9f1897f2605", "_context_user_id": "f36557892ea44962b8b6e9f1897f2605",
"_context_project_name": "service", "_context_read_deleted": "no", "_reply_q": "reply_02768c332dd445d79ce253efd75b32b8",
"_context_auth_token": "202cdaf88b284afeafbbc77dc10f9058", "_context_tenant": "c33546258c0a4733aa8eb56418df6438",
"_context_instance_lock_checked": false, "_context_is_admin": true, "version": "2.0", "_context_project_id":
"c33546258c0a4733aa8eb56418df6438", "_context_timestamp": "2014-05-15T09:07:07.482164", "_context_user_name":
"admin", "method": "action_event_start", "_context_remote_address": "9.123.137.154"}', 'oslo.version':
'2.0'}) send /usr/lib/python2.6/site-packages/qpid/messaging/driver.py:1283



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message