Project

General

Profile

Bug #37503

Audit log: mgr module passwords set on CLI written as plaintext in log files

Added by Tim Serong 11 months ago. Updated about 2 months ago.

Status:
Verified
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
12/03/2018
Due date:
% Done:

0%

Source:
Tags:
Backport:
nautilus
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature:

Description

A number of mgr modules need passwords set for one reason or another, either to authenticate with external systems (deepsea, influx, diskprediction), or to define credentials for users of those modules (dashboard, restful).

In all cases, these passwords are set from the command line, either via module-specific commands (`ceph dashboard ac-user-create`, `deepsea config-set salt_api_password`, etc.) or via `ceph config set` with some particular key (e.g.: mgr/influx/passsword)

All module-specific commands go through DaemonServer::_handle_command(), which then logs the command via audit_clog->debug() (or audit_clog->info() in case of access denied). This all ends up written to /var/log/ceph/ceph-mgr.$ID.log, which is world-readable, e.g.:

2018-12-03 10:45:28.864 7f67e7f8f700  0 log_channel(audit) log [DBG] : from='client.343880 172.16.1.254:39896/3560370796' entity='client.admin' cmd=[{"prefix": "deepsea config-set", "key": "salt_api_password", "value": "foo", "target": ["mgr", ""]}]: dispatch

Additionally, anything that results in a "config set" lands in the mon log, e.g.:

2018-12-03 10:45:28.881552 [INF]  from='mgr.295252 172.16.1.21:56636/175641' entity='mgr.data1' cmd='[{"prefix":"config set","who":"mgr","name":"mgr/deepsea/salt_api_password","value":"foo"}]': finished 

This also appears in the Audit log in the Dashboard.

Some things that land in the mon log probably don't matter; for any module that hashes passwords before saving them, only the hashed password should land in the mon log. But there's still the problem of the CLI commands in the mgr log, and in any case, modules that need to authenticate with external services will need to store plaintext passwords.

ISTM we need to either never log these things, or somehow keep the command logging, but filter the passwords out, so it renders the value as "*****" instead of the actual password.

I'm not sure how best to approach this, given the way command logging is structured. At the point commands are logged, the commands themselves are just strings. Admittedly, they're strings of JSON, but they're effectively opaque at that point - we'd have to parse the JSON, then look for things that might be passwords, blank them out, and turn the whole lot back into a string. Yuck.


Related issues

Related to mgr - Bug #41320: mgr/dashboard: passwords and other sensitive information is written to logs Pending Backport 08/16/2019

History

#1 Updated by Sebastian Wagner 11 months ago

I would expect the `diskprediction_cloud` module to also be affected by this. See http://docs.ceph.com/docs/master/mgr/diskprediction/#connection-settings

#2 Updated by Sebastian Wagner about 2 months ago

  • Related to Bug #41320: mgr/dashboard: passwords and other sensitive information is written to logs added

#3 Updated by Sebastian Wagner about 2 months ago

  • Status changed from New to Verified

#4 Updated by Sebastian Wagner about 2 months ago

  • Project changed from mgr to Ceph
  • Subject changed from mgr module passwords set on CLI written as plaintext in log files to Audit log: mgr module passwords set on CLI written as plaintext in log files

#5 Updated by Lenz Grimmer about 2 months ago

  • Backport set to nautilus

Also available in: Atom PDF