-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Open
Description
S3 credentials used to create a Secondary Storage instance are leaked to the following files:
- /var/log/cloudstack/management/access.log
- /var/log/cloudstack/management/management-server.log
Although the debug mode is enabled, I don't recommend logging secrets like S3 credentials.
Example entry containing the S3 credentials (sensitive information is redacted):
2025-02-06 15:50:37,093 DEBUG [o.a.c.s.r.NfsSecondaryStorageResource] (pool-15-thread-1:[ctx-5601ecaa]) (logid:e97c1c85) Executing command "DownloadCommand" [
{
"hvm": false,
"description": "SystemVM Template (KVM)",
"checksum": "6bb8edf3c062ed5625a3a8f17b3eedc9",
"maxDownloadSizeInBytes": 53687091200,
"id": 3,
"resourceType": "TEMPLATE",
"installPath": "template/tmpl/1/3/routing-3",
"_store": {
"id": 2,
"uuid": "0f1bd354-0dc3-4e65-a370-6b02acec0735",
"accessKey": "<redacted>",
"secretKey": "<redacted>",
"endPoint": "http://<redaced>",
"bucketName": "cloudstack",
"httpsFlag": false,
"created": "Feb 6, 2025, 3:50:27 PM",
"enableRRS": false,
"maxSingleUploadSizeInBytes": 5368709120
},
"followRedirects": false,
"url": "https://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.0-x86_64-kvm.qcow2.bz2",
"format": "QCOW2",
"accountId": 1,
"name": "routing-3",
"contextMap": {},
"wait": 0,
"bypassHostMaintenance": false
}
]
versions
CloudStack: 4.20.0.0
Hypervisor: KVM
Secondary Storage: Ceph RGW S3
Distro: Ubuntu 22.04 LTS
The steps to reproduce the bug
- Deploy CloudStack Management server version 4.20.0.0
- Create a Secondary Storage using S3 credentials (accessKey and secretKey)
- Grep the log file directory for the secret key:
grep <secretKey> -R /var/log/cloudstack/management/{access,management-server}.log
What to do about it?
Redact at least the secretKey from the log entry.
Metadata
Metadata
Assignees
Labels
Type
Projects
Status
ready for Testing
Milestone
Relationships
Development
Select code repository
Activity
boring-cyborg commentedon Feb 6, 2025
Thanks for opening your first issue here! Be sure to follow the issue template!
jerome079 commentedon Apr 4, 2025
Hi, @bradywilkin and I are students at the University of Texas at Austin. As part of our virtualization class, we would like to contribute to Apache Cloudstack and resolve this issue.
DaanHoogland commentedon Apr 7, 2025
@jerome079 @bradywilkin, You are very welcome. Please add a PR towards the 4.20 branch and ping the author (and others) for testing and reviews.