Merge "Fix several instances of chap secret being output to logs."

2017-12-14 00:29:53 +00:00 · 2017-12-14 00:29:53 +00:00 · 02f589f45e
parent 195dc79d7b 46f26084ce
commit 02f589f45e
7 changed files with 26 additions and 12 deletions
--- a/cinder/volume/drivers/dell_emc/xtremio.py
+++ b/cinder/volume/drivers/dell_emc/xtremio.py
@ -134,7 +134,8 @@ class XtremIOClient(object):
                self.update_url(params, self.cluster_id)
            if method != 'GET':
                self.update_data(data, self.cluster_id)
-                LOG.debug('data: %s', data)
+                # data may include chap password
+                LOG.debug('data: %s', strutils.mask_password(data))
            LOG.debug('%(type)s %(url)s', {'type': method, 'url': url})
            try:
                response = requests.request(
--- a/cinder/volume/drivers/dothill/dothill_client.py
+++ b/cinder/volume/drivers/dothill/dothill_client.py
@ -21,6 +21,7 @@ import time

 from lxml import etree
 from oslo_log import log as logging
+from oslo_utils import strutils
 from oslo_utils import units
 import requests
 import six
@ -206,8 +207,9 @@ class DotHillClient(object):
        If the status is OK, returns the XML data for further processing.
        """
        url = self._build_request_url(path, *args, **kargs)
-        LOG.debug("Array Request URL: %s (session %s)",
-                  url, self._session_key)
+        # Don't log the created URL since it may contain chap secret
+        LOG.debug("Array Request path: %s, args: %s, kargs: %s (session %s)",
+                  path, args, strutils.mask_password(kargs), self._session_key)
        headers = {'dataType': 'api', 'sessionKey': self._session_key}
        try:
            xml = requests.get(url, headers=headers,
--- a/cinder/volume/drivers/huawei/huawei_driver.py
+++ b/cinder/volume/drivers/huawei/huawei_driver.py
@ -23,6 +23,7 @@ import uuid
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import excutils
+from oslo_utils import strutils
 from oslo_utils import units

 from cinder import context
@ -1981,7 +1982,7 @@ class HuaweiISCSIDriver(HuaweiBaseDriver, driver.ISCSIDriver):
            properties['auth_password'] = chap_password

        LOG.info("initialize_connection success. Return data: %s.",
-                 properties)
+                 strutils.mask_password(properties))
        return {'driver_volume_type': 'iscsi', 'data': properties}

    @coordination.synchronized('huawei-mapping-{connector[host]}')
--- a/cinder/volume/drivers/ibm/storwize_svc/storwize_svc_common.py
+++ b/cinder/volume/drivers/ibm/storwize_svc/storwize_svc_common.py
@ -163,12 +163,14 @@ class StorwizeSSH(object):
        return CLIResponse(raw, ssh_cmd=ssh_cmd, delim=delim,
                           with_header=with_header)

-    def run_ssh_assert_no_output(self, ssh_cmd):
+    def run_ssh_assert_no_output(self, ssh_cmd, log_cmd=None):
        """Run an SSH command and assert no output returned."""
        out, err = self._run_ssh(ssh_cmd)
        if len(out.strip()) != 0:
+            if not log_cmd:
+                log_cmd = ' '.join(ssh_cmd)
            msg = (_('Expected no output from CLI command %(cmd)s, '
-                     'got %(out)s.') % {'cmd': ' '.join(ssh_cmd), 'out': out})
+                     'got %(out)s.') % {'cmd': log_cmd, 'out': out})
            LOG.error(msg)
            raise exception.VolumeBackendAPIException(data=msg)

@ -256,7 +258,8 @@ class StorwizeSSH(object):

    def add_chap_secret(self, secret, host):
        ssh_cmd = ['svctask', 'chhost', '-chapsecret', secret, '"%s"' % host]
-        self.run_ssh_assert_no_output(ssh_cmd)
+        log_cmd = 'svctask chhost -chapsecret *** %s' % host
+        self.run_ssh_assert_no_output(ssh_cmd, log_cmd)

    def lsiscsiauth(self):
        ssh_cmd = ['svcinfo', 'lsiscsiauth', '-delim', '!']
--- a/cinder/volume/drivers/ibm/storwize_svc/storwize_svc_iscsi.py
+++ b/cinder/volume/drivers/ibm/storwize_svc/storwize_svc_iscsi.py
@ -38,6 +38,7 @@ import collections
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import excutils
+from oslo_utils import strutils

 from cinder import exception
 from cinder.i18n import _
@ -200,10 +201,11 @@ class StorwizeSVCISCSIDriver(storwize_common.StorwizeSVCCommonDriver):
                          '%(conn)s.\n', {'vol': volume,
                                          'conn': connector})

+        # properties may contain chap secret so must be masked
        LOG.debug('leave: initialize_connection:\n volume: %(vol)s\n '
                  'connector: %(conn)s\n properties: %(prop)s',
                  {'vol': volume.id, 'conn': connector,
-                   'prop': properties})
+                   'prop': strutils.mask_password(properties)})

        return {'driver_volume_type': 'iscsi', 'data': properties, }

@ -285,11 +287,12 @@ class StorwizeSVCISCSIDriver(storwize_common.StorwizeSVCCommonDriver):
                              discovery_auth_method='CHAP',
                              discovery_auth_username=connector['initiator'],
                              discovery_auth_password=chap_secret)
+        # properties may contain chap secret so must be masked
        LOG.debug('leave: _get_single_iscsi_data:\n volume: %(vol)s\n '
                  'connector: %(conn)s\n lun_id: %(lun_id)s\n '
                  'properties: %(prop)s',
                  {'vol': volume.id, 'conn': connector, 'lun_id': lun_id,
-                   'prop': properties})
+                   'prop': strutils.mask_password(properties)})
        return properties

    def _get_multi_iscsi_data(self, volume, connector, lun_id, properties,
@ -335,11 +338,12 @@ class StorwizeSVCISCSIDriver(storwize_common.StorwizeSVCCommonDriver):
            LOG.error(msg)
            raise exception.VolumeBackendAPIException(data=msg)

+        # properties may contain chap secret so must be masked
        LOG.debug('leave: _get_multi_iscsi_data:\n volume: %(vol)s\n '
                  'connector: %(conn)s\n lun_id: %(lun_id)s\n '
                  'properties: %(prop)s',
                  {'vol': volume.id, 'conn': connector, 'lun_id': lun_id,
-                   'prop': properties})
+                   'prop': strutils.mask_password(properties)})

        return properties

--- a/cinder/volume/drivers/zadara.py
+++ b/cinder/volume/drivers/zadara.py
@ -21,6 +21,7 @@ This driver requires VPSA with API version 15.07 or higher.
 from lxml import etree
 from oslo_config import cfg
 from oslo_log import log as logging
+from oslo_utils import strutils
 import requests
 import six

@ -645,7 +646,7 @@ class ZadaraVPSAISCSIDriver(driver.ISCSIDriver):
        properties['auth_password'] = ctrl['chap_passwd']

        LOG.debug('Attach properties: %(properties)s',
-                  {'properties': properties})
+                  {'properties': strutils.mask_password(properties)})
        return {'driver_volume_type':
                ('iser' if (self.configuration.safe_get('zadara_use_iser'))
                 else 'iscsi'), 'data': properties}
--- a/cinder/volume/drivers/zfssa/restclient.py
+++ b/cinder/volume/drivers/zfssa/restclient.py
@ -20,6 +20,7 @@ import ssl
 import time

 from oslo_log import log
+from oslo_utils import strutils
 import six
 from six.moves import http_client
 from six.moves import urllib
@ -272,7 +273,8 @@ class RestClientURL(object):
                  {'request': request, 'url': zfssaurl})
        LOG.debug('Out headers: %s', out_hdrs)
        if body and body != '':
-            LOG.debug('Body: %s', body)
+            # body may contain chap secret so must be masked
+            LOG.debug('Body: %s', strutils.mask_password(body))

        context = None
        if hasattr(ssl, '_create_unverified_context'):