Activity log for bug #1977516

Date Who What changed Old value New value Message
2022-06-03 13:31:09 Pavlo Shchelokovskyy bug added bug
2022-06-03 13:31:09 Pavlo Shchelokovskyy attachment added 0001-Do-not-log-sensitive-info-in-OIDC.patch https://bugs.launchpad.net/bugs/1977516/+attachment/5594651/+files/0001-Do-not-log-sensitive-info-in-OIDC.patch
2022-06-27 15:39:05 Jeremy Stanley bug task added ossa
2022-06-27 15:39:18 Jeremy Stanley ossa: status New Incomplete
2022-06-27 15:44:15 Jeremy Stanley description This might lead to unintended password disclosure, so marking as security vulnerability What I have now using self-deployed keycloak as IdP (hence insecure: true) $ cat ~/.config/openstack/clouds.yaml clouds: federated: auth_type: v3oidcpassword auth: auth_url: https://keystone.it.just.works/v3 project_name: admin project_domain_name: Default identity-provider: keycloak protocol: mapped client-id: os client-secret: someRandomClientSecretMightBeNull openid-scope: openid access-token-endpoint: https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token discovery-endpoint: https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration username: pshchelokovskyy password: "CLEAR TEXT PASSWORD!!!" region_name: RegionOne insecure: true identity_api_version: 3 $ openstack --os-cloud federated --debug token issue ... Using auth plugin: v3oidcpassword Using parameters {'scope': 'openid', 'auth_url': 'https://keystone.it.just.works/v3', 'project_name': 'admin', 'project_domain_name': 'Default', 'identity_provider': 'keycloak', 'protocol': 'mapped', 'client_id': 'os', 'client_secret': '***', 'access_token_endpoint': 'https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token', 'discovery_endpoint': 'https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration', 'username': 'pshchelokovskyy', 'password': '***'} Turning off SSL warnings for federated:RegionOne since verify=False Turning off Insecure SSL warnings since verify=False Get auth_ref REQ: curl -g -i --insecure -X GET https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration -H "User-Agent: openstacksdk/0.52.0 keystoneauth1/4.2.1 python-requests/2.25.0 CPython/3.6.9" Starting new HTTPS connection (1): keycloak.it.just.works:443 https://keycloak.it.just.works:443 "GET /auth/realms/iam/.well-known/openid-configuration HTTP/1.1" 200 2578 RESP: [200] Cache-Control: no-cache, must-revalidate, no-transform, no-store Connection: keep-alive Content-Length: 2578 Content-Type: application/json Date: Thu, 03 Dec 2020 14:25:29 GMT RESP BODY: {"issuer":"https://keycloak.it.just.works/auth/realms/iam","authorization_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/auth","token_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token","token_introspection_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/userinfo","end_session_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/logout","jwks_uri":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/certs","check_session_iframe":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA1_5"],"id_token_encryption_enc_values_supported":["A128GCM","A128CBC-HS256"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","ES256","RS256","ES512","PS256","PS512","RS512","none"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"https://keycloak.it.just.works/auth/realms/iam/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email"],"claim_types_supported":["normal"],"claims_parameter_supported":false,"scopes_supported":["openid","profile","web-origins","offline_access","email","roles","phone","address","microprofile-jwt"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"introspection_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token/introspect"} REQ: curl -g -i --insecure -X POST https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token -H "User-Agent: openstacksdk/0.52.0 keystoneauth1/4.2.1 python-requests/2.25.0 CPython/3.6.9" -d '{'username': 'pshchelokovskyy', 'password': 'CLEAR TEXT PASSWORD!!!', 'scope': 'openid', 'grant_type': 'password'}' ... Notice how the password is masked when just logging args (Using parameters ... log line) but is printed unmasked when logging the curl equivalent of the request. Initially filed quite some time ago for python-openstackclient, but now I came back to it and found some time to dig thru to the actual cause. In the attached patch I attempted to keep as much useful info at debug level as possible. If it is deemed not so useful, patch could be made much shorter This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. This embargo shall not extend past 2022-09-25 and will be made public by or on that date even if no fix is identified. This might lead to unintended password disclosure, so marking as security vulnerability What I have now using self-deployed keycloak as IdP (hence insecure: true) $ cat ~/.config/openstack/clouds.yaml clouds:   federated:     auth_type: v3oidcpassword     auth:       auth_url: https://keystone.it.just.works/v3       project_name: admin       project_domain_name: Default       identity-provider: keycloak       protocol: mapped       client-id: os       client-secret: someRandomClientSecretMightBeNull       openid-scope: openid       access-token-endpoint: https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token       discovery-endpoint: https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration       username: pshchelokovskyy       password: "CLEAR TEXT PASSWORD!!!"     region_name: RegionOne     insecure: true     identity_api_version: 3 $ openstack --os-cloud federated --debug token issue ... Using auth plugin: v3oidcpassword Using parameters {'scope': 'openid', 'auth_url': 'https://keystone.it.just.works/v3', 'project_name': 'admin', 'project_domain_name': 'Default', 'identity_provider': 'keycloak', 'protocol': 'mapped', 'client_id': 'os', 'client_secret': '***', 'access_token_endpoint': 'https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token', 'discovery_endpoint': 'https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration', 'username': 'pshchelokovskyy', 'password': '***'} Turning off SSL warnings for federated:RegionOne since verify=False Turning off Insecure SSL warnings since verify=False Get auth_ref REQ: curl -g -i --insecure -X GET https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration -H "User-Agent: openstacksdk/0.52.0 keystoneauth1/4.2.1 python-requests/2.25.0 CPython/3.6.9" Starting new HTTPS connection (1): keycloak.it.just.works:443 https://keycloak.it.just.works:443 "GET /auth/realms/iam/.well-known/openid-configuration HTTP/1.1" 200 2578 RESP: [200] Cache-Control: no-cache, must-revalidate, no-transform, no-store Connection: keep-alive Content-Length: 2578 Content-Type: application/json Date: Thu, 03 Dec 2020 14:25:29 GMT RESP BODY: {"issuer":"https://keycloak.it.just.works/auth/realms/iam","authorization_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/auth","token_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token","token_introspection_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/userinfo","end_session_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/logout","jwks_uri":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/certs","check_session_iframe":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA1_5"],"id_token_encryption_enc_values_supported":["A128GCM","A128CBC-HS256"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","ES256","RS256","ES512","PS256","PS512","RS512","none"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"https://keycloak.it.just.works/auth/realms/iam/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email"],"claim_types_supported":["normal"],"claims_parameter_supported":false,"scopes_supported":["openid","profile","web-origins","offline_access","email","roles","phone","address","microprofile-jwt"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"introspection_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token/introspect"} REQ: curl -g -i --insecure -X POST https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token -H "User-Agent: openstacksdk/0.52.0 keystoneauth1/4.2.1 python-requests/2.25.0 CPython/3.6.9" -d '{'username': 'pshchelokovskyy', 'password': 'CLEAR TEXT PASSWORD!!!', 'scope': 'openid', 'grant_type': 'password'}' ... Notice how the password is masked when just logging args (Using parameters ... log line) but is printed unmasked when logging the curl equivalent of the request. Initially filed quite some time ago for python-openstackclient, but now I came back to it and found some time to dig thru to the actual cause. In the attached patch I attempted to keep as much useful info at debug level as possible. If it is deemed not so useful, patch could be made much shorter
2022-06-27 15:44:38 Jeremy Stanley bug added subscriber Keystone Core security contacts
2022-10-18 17:24:28 Jeremy Stanley description This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. This embargo shall not extend past 2022-09-25 and will be made public by or on that date even if no fix is identified. This might lead to unintended password disclosure, so marking as security vulnerability What I have now using self-deployed keycloak as IdP (hence insecure: true) $ cat ~/.config/openstack/clouds.yaml clouds:   federated:     auth_type: v3oidcpassword     auth:       auth_url: https://keystone.it.just.works/v3       project_name: admin       project_domain_name: Default       identity-provider: keycloak       protocol: mapped       client-id: os       client-secret: someRandomClientSecretMightBeNull       openid-scope: openid       access-token-endpoint: https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token       discovery-endpoint: https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration       username: pshchelokovskyy       password: "CLEAR TEXT PASSWORD!!!"     region_name: RegionOne     insecure: true     identity_api_version: 3 $ openstack --os-cloud federated --debug token issue ... Using auth plugin: v3oidcpassword Using parameters {'scope': 'openid', 'auth_url': 'https://keystone.it.just.works/v3', 'project_name': 'admin', 'project_domain_name': 'Default', 'identity_provider': 'keycloak', 'protocol': 'mapped', 'client_id': 'os', 'client_secret': '***', 'access_token_endpoint': 'https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token', 'discovery_endpoint': 'https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration', 'username': 'pshchelokovskyy', 'password': '***'} Turning off SSL warnings for federated:RegionOne since verify=False Turning off Insecure SSL warnings since verify=False Get auth_ref REQ: curl -g -i --insecure -X GET https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration -H "User-Agent: openstacksdk/0.52.0 keystoneauth1/4.2.1 python-requests/2.25.0 CPython/3.6.9" Starting new HTTPS connection (1): keycloak.it.just.works:443 https://keycloak.it.just.works:443 "GET /auth/realms/iam/.well-known/openid-configuration HTTP/1.1" 200 2578 RESP: [200] Cache-Control: no-cache, must-revalidate, no-transform, no-store Connection: keep-alive Content-Length: 2578 Content-Type: application/json Date: Thu, 03 Dec 2020 14:25:29 GMT RESP BODY: {"issuer":"https://keycloak.it.just.works/auth/realms/iam","authorization_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/auth","token_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token","token_introspection_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/userinfo","end_session_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/logout","jwks_uri":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/certs","check_session_iframe":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA1_5"],"id_token_encryption_enc_values_supported":["A128GCM","A128CBC-HS256"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","ES256","RS256","ES512","PS256","PS512","RS512","none"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"https://keycloak.it.just.works/auth/realms/iam/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email"],"claim_types_supported":["normal"],"claims_parameter_supported":false,"scopes_supported":["openid","profile","web-origins","offline_access","email","roles","phone","address","microprofile-jwt"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"introspection_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token/introspect"} REQ: curl -g -i --insecure -X POST https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token -H "User-Agent: openstacksdk/0.52.0 keystoneauth1/4.2.1 python-requests/2.25.0 CPython/3.6.9" -d '{'username': 'pshchelokovskyy', 'password': 'CLEAR TEXT PASSWORD!!!', 'scope': 'openid', 'grant_type': 'password'}' ... Notice how the password is masked when just logging args (Using parameters ... log line) but is printed unmasked when logging the curl equivalent of the request. Initially filed quite some time ago for python-openstackclient, but now I came back to it and found some time to dig thru to the actual cause. In the attached patch I attempted to keep as much useful info at debug level as possible. If it is deemed not so useful, patch could be made much shorter This might lead to unintended password disclosure, so marking as security vulnerability What I have now using self-deployed keycloak as IdP (hence insecure: true) $ cat ~/.config/openstack/clouds.yaml clouds:   federated:     auth_type: v3oidcpassword     auth:       auth_url: https://keystone.it.just.works/v3       project_name: admin       project_domain_name: Default       identity-provider: keycloak       protocol: mapped       client-id: os       client-secret: someRandomClientSecretMightBeNull       openid-scope: openid       access-token-endpoint: https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token       discovery-endpoint: https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration       username: pshchelokovskyy       password: "CLEAR TEXT PASSWORD!!!"     region_name: RegionOne     insecure: true     identity_api_version: 3 $ openstack --os-cloud federated --debug token issue ... Using auth plugin: v3oidcpassword Using parameters {'scope': 'openid', 'auth_url': 'https://keystone.it.just.works/v3', 'project_name': 'admin', 'project_domain_name': 'Default', 'identity_provider': 'keycloak', 'protocol': 'mapped', 'client_id': 'os', 'client_secret': '***', 'access_token_endpoint': 'https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token', 'discovery_endpoint': 'https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration', 'username': 'pshchelokovskyy', 'password': '***'} Turning off SSL warnings for federated:RegionOne since verify=False Turning off Insecure SSL warnings since verify=False Get auth_ref REQ: curl -g -i --insecure -X GET https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration -H "User-Agent: openstacksdk/0.52.0 keystoneauth1/4.2.1 python-requests/2.25.0 CPython/3.6.9" Starting new HTTPS connection (1): keycloak.it.just.works:443 https://keycloak.it.just.works:443 "GET /auth/realms/iam/.well-known/openid-configuration HTTP/1.1" 200 2578 RESP: [200] Cache-Control: no-cache, must-revalidate, no-transform, no-store Connection: keep-alive Content-Length: 2578 Content-Type: application/json Date: Thu, 03 Dec 2020 14:25:29 GMT RESP BODY: {"issuer":"https://keycloak.it.just.works/auth/realms/iam","authorization_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/auth","token_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token","token_introspection_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/userinfo","end_session_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/logout","jwks_uri":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/certs","check_session_iframe":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA1_5"],"id_token_encryption_enc_values_supported":["A128GCM","A128CBC-HS256"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","ES256","RS256","ES512","PS256","PS512","RS512","none"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"https://keycloak.it.just.works/auth/realms/iam/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email"],"claim_types_supported":["normal"],"claims_parameter_supported":false,"scopes_supported":["openid","profile","web-origins","offline_access","email","roles","phone","address","microprofile-jwt"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"introspection_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token/introspect"} REQ: curl -g -i --insecure -X POST https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token -H "User-Agent: openstacksdk/0.52.0 keystoneauth1/4.2.1 python-requests/2.25.0 CPython/3.6.9" -d '{'username': 'pshchelokovskyy', 'password': 'CLEAR TEXT PASSWORD!!!', 'scope': 'openid', 'grant_type': 'password'}' ... Notice how the password is masked when just logging args (Using parameters ... log line) but is printed unmasked when logging the curl equivalent of the request. Initially filed quite some time ago for python-openstackclient, but now I came back to it and found some time to dig thru to the actual cause. In the attached patch I attempted to keep as much useful info at debug level as possible. If it is deemed not so useful, patch could be made much shorter
2022-10-18 17:24:33 Jeremy Stanley information type Private Security Public
2022-10-18 17:24:42 Jeremy Stanley tags security
2022-10-18 17:24:49 Jeremy Stanley ossa: status Incomplete Won't Fix
2022-10-19 16:56:06 OpenStack Infra keystoneauth: status New In Progress