[coordination] backend_url should be secret

Bug #2012246 reported by Takashi Kajinami
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Aodh
In Progress
Undecided
Takashi Kajinami
Ceilometer
Fix Released
Undecided
Takashi Kajinami
Cinder
In Progress
Undecided
Takashi Kajinami
Designate
Fix Released
Undecided
Takashi Kajinami
OpenStack Shared File Systems Service (Manila)
Fix Released
Undecided
Takashi Kajinami
puppet-cloudkitty
Fix Released
Medium
Takashi Kajinami
puppet-gnocchi
Fix Released
Medium
Takashi Kajinami
puppet-oslo
Fix Released
Medium
Takashi Kajinami
puppet-sahara
Fix Released
Medium
Takashi Kajinami

Bug Description

The [coordination] backend_url determines and configures the coordination backend.
This option can sometimes contain secrets.

For example when redis coordination backend is used and authentication is enabled in redis, the plain redis password is put as an URL element.

```
[coordination]
backend_url=redis://:password@127.0.0.1:6379
```

However this option is now defined without secret=True so its value is dumped to log during service start up.

Changed in cinder:
assignee: nobody → Takashi Kajinami (kajinamit)
Changed in cinder:
status: New → In Progress
Changed in manila:
assignee: nobody → Takashi Kajinami (kajinamit)
Changed in ceilometer:
assignee: nobody → Takashi Kajinami (kajinamit)
Changed in aodh:
assignee: nobody → Takashi Kajinami (kajinamit)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on manila (stable/train)

Change abandoned by "Takashi Kajinami <email address hidden>" on branch: stable/train
Review: https://review.opendev.org/c/openstack/manila/+/877933
Reason: wrong branch ...

Changed in manila:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/manila/+/877935

Changed in designate:
assignee: nobody → Takashi Kajinami (kajinamit)
status: New → In Progress
Changed in ceilometer:
status: New → In Progress
Changed in aodh:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on manila (stable/train)

Change abandoned by "Takashi Kajinami <email address hidden>" on branch: stable/train
Review: https://review.opendev.org/c/openstack/manila/+/877933

Changed in puppet-cloudkitty:
importance: Undecided → Medium
Changed in puppet-gnocchi:
importance: Undecided → Medium
Changed in puppet-oslo:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-oslo (master)
Changed in puppet-oslo:
status: New → In Progress
Changed in puppet-sahara:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-gnocchi (master)
Changed in puppet-gnocchi:
status: New → In Progress
Changed in puppet-oslo:
assignee: nobody → Takashi Kajinami (kajinamit)
Changed in puppet-sahara:
assignee: nobody → Takashi Kajinami (kajinamit)
Changed in puppet-gnocchi:
assignee: nobody → Takashi Kajinami (kajinamit)
Changed in puppet-cloudkitty:
assignee: nobody → Takashi Kajinami (kajinamit)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-cloudkitty (master)
Changed in puppet-cloudkitty:
status: New → In Progress
Changed in puppet-sahara:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-sahara (master)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to designate (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/designate/+/877767

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to designate (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/designate/+/877768

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to designate (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/designate/+/877769

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to designate (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/designate/+/878010

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to designate (master)

Reviewed: https://review.opendev.org/c/openstack/designate/+/877909
Committed: https://opendev.org/openstack/designate/commit/541395c42414c40d105ce206e2f200456bbc375f
Submitter: "Zuul (22348)"
Branch: master

commit 541395c42414c40d105ce206e2f200456bbc375f
Author: Takashi Kajinami <email address hidden>
Date: Mon Mar 20 18:26:17 2023 +0900

    [coordination] backend_url should be secret

    The backend_url option can sometimes contain secrets.

    For example when redis coordination backend is used and authentication
    is enabled in redis, the plain redis password is put as an URL element.

    [coordination]
    backend_url=redis://:password@127.0.0.1:6379

    Closes-Bug: #2012246
    Change-Id: I0ee95fc56130e51bf5c799d252e79a469492b7db

Changed in designate:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (master)

Reviewed: https://review.opendev.org/c/openstack/manila/+/877935
Committed: https://opendev.org/openstack/manila/commit/8ec46875665e93daf252a9feaf9d36d354c3660c
Submitter: "Zuul (22348)"
Branch: master

commit 8ec46875665e93daf252a9feaf9d36d354c3660c
Author: Takashi Kajinami <email address hidden>
Date: Mon Mar 20 18:31:52 2023 +0900

    [coordination] backend_url should be secret

    The backend_url option can sometimes contain secrets.

    For example when redis coordination backend is used and authentication
    is enabled in redis, the plain redis password is put as an URL element.

    [coordination]
    backend_url=redis://:password@127.0.0.1:6379

    Closes-Bug: #2012246
    Change-Id: Ia815720cedda2f5c70205ffda5c765364cee8f8c

Changed in manila:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-cloudkitty (master)

Reviewed: https://review.opendev.org/c/openstack/puppet-cloudkitty/+/877951
Committed: https://opendev.org/openstack/puppet-cloudkitty/commit/70d66f8f554873934d15ed0941f0d1e1a44a9be7
Submitter: "Zuul (22348)"
Branch: master

commit 70d66f8f554873934d15ed0941f0d1e1a44a9be7
Author: Takashi Kajinami <email address hidden>
Date: Mon Mar 20 21:11:32 2023 +0900

    [orchestrator] coordination_url should be hidden

    The coordination_url option can sometimes contain secrets.

    For example when redis coordination backend is used and authentication
    is enabled in redis, the plain redis password is put as an URL element.

    [orchestrator]
    coordination_url=redis://:password@127.0.0.1:6379

    Closes-Bug: #2012246
    Change-Id: Iba1e7715b290ee4c104f11221e250b23936b12dc

Changed in puppet-cloudkitty:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-sahara (master)

Reviewed: https://review.opendev.org/c/openstack/puppet-sahara/+/877952
Committed: https://opendev.org/openstack/puppet-sahara/commit/b82c6813c1cc7bd8a25e501db1790f0a86bfa7f8
Submitter: "Zuul (22348)"
Branch: master

commit b82c6813c1cc7bd8a25e501db1790f0a86bfa7f8
Author: Takashi Kajinami <email address hidden>
Date: Mon Mar 20 21:13:03 2023 +0900

    [DEFAULT] periodic_coordinator_backend_url should be secret

    This option can sometimes contain secrets.

    For example when redis coordination backend is used and authentication
    is enabled in redis, the plain redis password is put as an URL element.

    [DEFAULT]
    periodic_coordinator_backend_url=redis://:password@127.0.0.1:6379

    Closes-Bug: #2012246
    Change-Id: I514dbead158c72c43c8e077aad2a4935b3b99040

Changed in puppet-sahara:
status: In Progress → Fix Released
Changed in puppet-gnocchi:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-gnocchi (master)

Reviewed: https://review.opendev.org/c/openstack/puppet-gnocchi/+/877950
Committed: https://opendev.org/openstack/puppet-gnocchi/commit/a8fc8c9722ff49f81f41a3eac97732bb0d2b95b1
Submitter: "Zuul (22348)"
Branch: master

commit a8fc8c9722ff49f81f41a3eac97732bb0d2b95b1
Author: Takashi Kajinami <email address hidden>
Date: Mon Mar 20 21:09:05 2023 +0900

    Make sure redis urls are hidden

    This makes sure that the parameters which accept redis url are hidden
    from logs, because redis url can contain password as a URL element.

    example: redis://:password@127.0.0.1:6379

    Closes-Bug: #2012246
    Change-Id: Ief97f9e28ed7e318b56b27f03214ecc76de6798e

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-oslo (master)

Reviewed: https://review.opendev.org/c/openstack/puppet-oslo/+/877949
Committed: https://opendev.org/openstack/puppet-oslo/commit/a9963373338fe725e89ce8bed3f9e001f2abeeb4
Submitter: "Zuul (22348)"
Branch: master

commit a9963373338fe725e89ce8bed3f9e001f2abeeb4
Author: Takashi Kajinami <email address hidden>
Date: Mon Mar 20 21:06:23 2023 +0900

    [coordination] backend_url should be secret

    The backend_url option can sometimes contain secrets.

    For example when redis coordination backend is used and authentication
    is enabled in redis, the plain redis password is put as an URL element.

    [coordination]
    backend_url=redis://:password@127.0.0.1:6379

    Closes-Bug: #2012246
    Change-Id: Idb7cba32fa81da698d408c27a854550b03e5abd4

Changed in puppet-oslo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/manila/+/878152

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to designate (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/designate/+/877767
Committed: https://opendev.org/openstack/designate/commit/bda31ec62c3eaa7fcdd25d69f97742744debf915
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit bda31ec62c3eaa7fcdd25d69f97742744debf915
Author: Takashi Kajinami <email address hidden>
Date: Mon Mar 20 18:26:17 2023 +0900

    [coordination] backend_url should be secret

    The backend_url option can sometimes contain secrets.

    For example when redis coordination backend is used and authentication
    is enabled in redis, the plain redis password is put as an URL element.

    [coordination]
    backend_url=redis://:password@127.0.0.1:6379

    Closes-Bug: #2012246
    Change-Id: I0ee95fc56130e51bf5c799d252e79a469492b7db
    (cherry picked from commit 541395c42414c40d105ce206e2f200456bbc375f)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to designate (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/designate/+/877769
Committed: https://opendev.org/openstack/designate/commit/81f3475971823ee82fb9c73f20bc64051d0cba36
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 81f3475971823ee82fb9c73f20bc64051d0cba36
Author: Takashi Kajinami <email address hidden>
Date: Mon Mar 20 18:26:17 2023 +0900

    [coordination] backend_url should be secret

    The backend_url option can sometimes contain secrets.

    For example when redis coordination backend is used and authentication
    is enabled in redis, the plain redis password is put as an URL element.

    [coordination]
    backend_url=redis://:password@127.0.0.1:6379

    Closes-Bug: #2012246
    Change-Id: I0ee95fc56130e51bf5c799d252e79a469492b7db
    (cherry picked from commit 541395c42414c40d105ce206e2f200456bbc375f)
    (cherry picked from commit bda31ec62c3eaa7fcdd25d69f97742744debf915)
    (cherry picked from commit be775801e33313305b5d90dca10bae166e6938c8)
    (cherry picked from commit f1981d057f08f9229eba2e8191dc06b22be1cffd)

tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to designate (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/designate/+/878010
Committed: https://opendev.org/openstack/designate/commit/f1981d057f08f9229eba2e8191dc06b22be1cffd
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit f1981d057f08f9229eba2e8191dc06b22be1cffd
Author: Takashi Kajinami <email address hidden>
Date: Mon Mar 20 18:26:17 2023 +0900

    [coordination] backend_url should be secret

    The backend_url option can sometimes contain secrets.

    For example when redis coordination backend is used and authentication
    is enabled in redis, the plain redis password is put as an URL element.

    [coordination]
    backend_url=redis://:password@127.0.0.1:6379

    Closes-Bug: #2012246
    Change-Id: I0ee95fc56130e51bf5c799d252e79a469492b7db
    (cherry picked from commit 541395c42414c40d105ce206e2f200456bbc375f)
    (cherry picked from commit bda31ec62c3eaa7fcdd25d69f97742744debf915)
    (cherry picked from commit be775801e33313305b5d90dca10bae166e6938c8)

tags: added: in-stable-yoga
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to designate (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/designate/+/877768
Committed: https://opendev.org/openstack/designate/commit/be775801e33313305b5d90dca10bae166e6938c8
Submitter: "Zuul (22348)"
Branch: stable/zed

commit be775801e33313305b5d90dca10bae166e6938c8
Author: Takashi Kajinami <email address hidden>
Date: Mon Mar 20 18:26:17 2023 +0900

    [coordination] backend_url should be secret

    The backend_url option can sometimes contain secrets.

    For example when redis coordination backend is used and authentication
    is enabled in redis, the plain redis password is put as an URL element.

    [coordination]
    backend_url=redis://:password@127.0.0.1:6379

    Closes-Bug: #2012246
    Change-Id: I0ee95fc56130e51bf5c799d252e79a469492b7db
    (cherry picked from commit 541395c42414c40d105ce206e2f200456bbc375f)
    (cherry picked from commit bda31ec62c3eaa7fcdd25d69f97742744debf915)

tags: added: in-stable-zed
Changed in ceilometer:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-cloudkitty 11.0.0

This issue was fixed in the openstack/puppet-cloudkitty 11.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-gnocchi 22.0.0

This issue was fixed in the openstack/puppet-gnocchi 22.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-oslo 22.0.0

This issue was fixed in the openstack/puppet-oslo 22.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-sahara 22.0.0

This issue was fixed in the openstack/puppet-sahara 22.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/designate 16.0.1

This issue was fixed in the openstack/designate 16.0.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/designate 14.0.3

This issue was fixed in the openstack/designate 14.0.3 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/manila/+/878152
Committed: https://opendev.org/openstack/manila/commit/5da7be292664194d9845d1ae77fba821f97ff7fe
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 5da7be292664194d9845d1ae77fba821f97ff7fe
Author: Takashi Kajinami <email address hidden>
Date: Mon Mar 20 18:31:52 2023 +0900

    [coordination] backend_url should be secret

    The backend_url option can sometimes contain secrets.

    For example when redis coordination backend is used and authentication
    is enabled in redis, the plain redis password is put as an URL element.

    [coordination]
    backend_url=redis://:password@127.0.0.1:6379

    Closes-Bug: #2012246
    Change-Id: Ia815720cedda2f5c70205ffda5c765364cee8f8c
    (cherry picked from commit 8ec46875665e93daf252a9feaf9d36d354c3660c)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/manila/+/890841

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/manila/+/890842

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/manila/+/890843

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/manila/+/890844

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/aodh 17.0.0.0rc1

This issue was fixed in the openstack/aodh 17.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ceilometer 21.0.0.0rc1

This issue was fixed in the openstack/ceilometer 21.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/designate 17.0.0.0rc1

This issue was fixed in the openstack/designate 17.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 17.0.0.0rc1

This issue was fixed in the openstack/manila 17.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/designate 15.0.1

This issue was fixed in the openstack/designate 15.0.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 16.1.0

This issue was fixed in the openstack/manila 16.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/manila/+/890841
Committed: https://opendev.org/openstack/manila/commit/98ea6ac7688be7376a3d3512c69b5905c9738a01
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 98ea6ac7688be7376a3d3512c69b5905c9738a01
Author: Takashi Kajinami <email address hidden>
Date: Mon Mar 20 18:31:52 2023 +0900

    [coordination] backend_url should be secret

    The backend_url option can sometimes contain secrets.

    For example when redis coordination backend is used and authentication
    is enabled in redis, the plain redis password is put as an URL element.

    [coordination]
    backend_url=redis://:password@127.0.0.1:6379

    Closes-Bug: #2012246
    Change-Id: Ia815720cedda2f5c70205ffda5c765364cee8f8c
    (cherry picked from commit 8ec46875665e93daf252a9feaf9d36d354c3660c)
    (cherry picked from commit 5da7be292664194d9845d1ae77fba821f97ff7fe)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.