OpenStack Identity (keystone)

Sensitive error messages are alarming

Bug #1322187 reported by Dolph Mathews
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Low
Dolph Mathews
OpenStack Identity (keystone) 2014.2 "juno"

Bug Description

Keystone raises fairly transparent error messages to the API in debug mode to allow deployers to debug deployment issues, etc, without facing unnecessary hurdles (for example, we expose details of password failures and detailed SQL exceptions). Disabling debug mode replaces those error messages with completely opaque Unauthorized / Forbidden / Unexpected error messages.

Unfortunately the transparent messages are alarming to those who don't realize they can be easily suppressed. To correct this, these error messages should self-document their conditional behavior.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/94871

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
Rob Crittenden (rcritten) wrote :

Would it be better to always suppress these messages and only log the details on the Keystone server?

Could this lead to disclosure if one needs to diagnose a problem on a production system by putting Keystone into debug mode temporarily?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/94871
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5c9ec48f255721bd38ef0c063abe8887a9368a6f
Submitter: Jenkins
Branch: master

commit 5c9ec48f255721bd38ef0c063abe8887a9368a6f
Author: Dolph Mathews <email address hidden>
Date: Thu May 22 08:57:48 2014 -0500

    indicate that sensitive messages can be disabled

    Change-Id: I5b52ebe996457f2766939e1a66dbeed3dc5869c4
    Closes-Bug: 1322187

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: juno-1 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.