[Bug 1811098] Re: ceilometer writing snmp credentials to log file
Edward Hope-Morley
edward.hope-morley at canonical.com
Fri Jan 11 18:22:05 UTC 2019
** Patch added: "lp1811098-stein.debdiff"
https://bugs.launchpad.net/ceilometer/+bug/1811098/+attachment/5228503/+files/lp1811098-stein.debdiff
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1811098
Title:
[SRU] ceilometer writing snmp credentials to log file
Status in Ceilometer:
In Progress
Status in Ubuntu Cloud Archive:
New
Status in ceilometer package in Ubuntu:
New
Bug description:
The ceilometer-agent-central is always writing the contents of
polling.yaml to its log file (and as INFO) [1]
This presents a security risk if e.g. resources contain sensitive
information like when specifying snmp targets with the url containing
the username, password etc.
There are a couple of ways we could solve this, namely; (1) don't log
this info at all, (2) sanitise the contents prior to logging as DEBUG
(3) switch to using config for the snmp credentials in a similar way
to how the Triple0Discoverer does it [2] - this would only support
having the same creds everywhere thought which may not be desirable.
[1] https://github.com/openstack/ceilometer/blob/stable/rocky/ceilometer/agent.py#L70
[2] https://github.com/openstack/ceilometer/blob/stable/rocky/ceilometer/hardware/discovery.py#L24
To manage notifications about this bug go to:
https://bugs.launchpad.net/ceilometer/+bug/1811098/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list