[Bug 1811098] Re: [SRU] ceilometer writing snmp credentials to log file

Sat Jan 12 00:22:16 UTC 2019

The attachment "lp1811098-stein.debdiff" seems to be a debdiff.  The
ubuntu-sponsors team has been subscribed to the bug report so that they
can review and hopefully sponsor the debdiff.  If the attachment isn't a
patch, please remove the "patch" flag from the attachment, remove the
"patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe
the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issue please contact him.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1811098

Title:
  [SRU] ceilometer writing snmp credentials to log file

Status in Ceilometer:
  In Progress
Status in Ubuntu Cloud Archive:
  New
Status in ceilometer package in Ubuntu:
  New

Bug description:
  The ceilometer-agent-central is always writing the contents of
  polling.yaml to its log file (and as INFO) [1]

  This presents a security risk if e.g. resources contain sensitive
  information like when specifying snmp targets with the url containing
  the username, password etc.

  There are a couple of ways we could solve this, namely; (1) don't log
  this info at all, (2) sanitise the contents prior to logging as DEBUG
  (3) switch to using config for the snmp credentials in a similar way
  to how the Triple0Discoverer does it [2] - this would only support
  having the same creds everywhere thought which may not be desirable.

  [1] https://github.com/openstack/ceilometer/blob/stable/rocky/ceilometer/agent.py#L70
  [2] https://github.com/openstack/ceilometer/blob/stable/rocky/ceilometer/hardware/discovery.py#L24

To manage notifications about this bug go to:
https://bugs.launchpad.net/ceilometer/+bug/1811098/+subscriptions