The server fault "message" is always shown in the API
server response, regardless of policy or user role.
The fault "details" are only shown to users with the
admin role when the fault code is 500.
The problem with this is for non-nova exceptions, the
fault message is a string-ified version of the exception
(see nova.compute.utils.exception_to_dict) which can
contain sensitive information which the non-admin owner
of the server can see.
This change adds a functional test to recreate the issue
and a change to exception_to_dict which for the non-nova
case changes the fault message by simply storing the
exception type class name. Admins can still see the fault
traceback in the "details" key of the fault dict in the
server API response. Note that _get_fault_details is
changed so that the details also includes the exception
value which is what used to be in the fault message for
non-nova exceptions. This is necessary so admins can still
get the exception message with the traceback details.
Note that nova exceptions with a %(reason)s replacement
variable could potentially be leaking sensitive details as
well but those would need to be cleaned up on a case-by-case
basis since we don't want to change the behavior of all
fault messages otherwise users might not see information
like NoValidHost when their server goes to ERROR status
during scheduling.
SecurityImpact: This change contains a fix for CVE-2019-14433.
NOTE(mriedem): The functional test imports change here
because Idaed39629095f86d24a54334c699a26c218c6593 is not
in Rocky so the PlacementFixture comes from nova_fixtures.
Change-Id: I5e0a43ec59341c9ac62f89105ddf82c4a014df81
Closes-Bug: #1837877
(cherry picked from commit 298b337a16)
(cherry picked from commit 6765188116)
e0b91a5b1e