Details
Critical Description
For cifs, addImageStore are currently logging everything including username, password and domain in clear text in the logs, which are specified in query parameter url for the image store.
Here's an extract from the logs: (obscured actual pwd)
2013-11-26 12:03:35,703 DEBUG [c.c.a.ApiServlet] (catalina-exec-13:ctx-f0723f52) ===START=== 10.104.255.45 – GET command=addImageStore&response=json&sessionkey=5DGP7gv1vXNaK35rAxfIEi7256o%3D&name=SS1&provider=SMB&zoneid=5a60af2b-3025-4f2a-9ecc-8e33bf2b94e3&url=cifs%3A%2F%2F10.102.192.150%2FSMB-Share%2Fsowmya%2Fsecondary%3Fuser%3Dsowmya%26password%3DXXXXX%40123%26domain%3DBLR&_=1385447356899
2013-11-26 12:03:35,741 INFO [o.a.c.s.d.l.CloudStackImageStoreLifeCycleImpl] (catalina-exec-13:ctx-f0723f52 ctx-547cfc1f) Trying to add a new data store at cifs://10.102.192.150/SMB-Share/sowmya/secondary?user=sowmya&password=XXX@123&domain=BLR to data center 1
2013-11-26 12:03:35,776 DEBUG [c.c.u.UriUtils] (catalina-exec-13:ctx-f0723f52 ctx-547cfc1f) foundUser istrue
2013-11-26 12:03:35,777 DEBUG [c.c.u.UriUtils] (catalina-exec-13:ctx-f0723f52 ctx-547cfc1f) foundPswd istrue
2013-11-26 12:03:36,011 DEBUG [c.c.a.ApiServlet] (catalina-exec-13:ctx-f0723f52 ctx-547cfc1f) ===END=== 10.104.255.45 – GET command=addImageStore&response=json&sessionkey=5DGP7gv1vXNaK35rAxfIEi7256o%3D&name=SS1&provider=SMB&zoneid=5a60af2b-3025-4f2a-9ecc-8e33bf2b94e3&url=cifs%3A%2F%2F10.102.192.150%2FSMB-Share%2Fsowmya%2Fsecondary%3Fuser%3Dsowmya%26password%3DXXX%40123%26domain%3DBLR&_=1385447356899