OpenStack Compute (nova)

  1. Bug #1377981
  2. Comment #9

Comment 9 for bug 1377981

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/126047
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=8e7d6a60ff92df19aceb0972566b48992eee18b4
Submitter: Jenkins
Branch: master

commit 8e7d6a60ff92df19aceb0972566b48992eee18b4
Author: Tristan Cacqueray <email address hidden>
Date: Fri Oct 3 19:53:42 2014 +0000

    Mask passwords in exceptions and error messages

    When a ProcessExecutionError is thrown by processutils.ssh_execute(),
    the exception may contain information such as password. Upstream
    applications that just log the message (as several appear to do)
    could inadvertently expose these passwords to a user with read access to
    the log files. It is therefore considered prudent to invoke
    strutils.mask_password() on the command, stdout and stderr in the
    exception. A test case has been added (to oslo-incubator) in order to
    ensure that all three are properly masked.

    An earlier commit (853d8f9897f8563851441108a9be26b10908c076) failed
    to address ssh_execute(). This change set addresses ssh_execute.

    OSSA is aware of this change request.

    Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958
    Closes-Bug: #1377981