[openstack-dev] passwords in logs --security related

Sandy Walsh sandy.walsh at RACKSPACE.COM
Tue Apr 23 11:34:16 UTC 2013

Yeah, I've submitted a bunch of patches to the exception decorator and notification code to strip passwords/tokens from leaking into events. 

I think we should consider creating an object for sensitive material that can hide itself when needed. All this raw-string stuff is unmanageable. It could live in Oslo.


From: Steven Hardy [shardy at redhat.com]
Sent: Monday, April 22, 2013 9:55 AM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] passwords in logs --security related

On Mon, Apr 22, 2013 at 02:11:08PM +0200, Thierry Carrez wrote:
> Dolph Mathews wrote:
> > 1) passwords are currently logged by keystone when you enable debug mode
> > (and there's a big warning in the sample.conf about passwords in plain text)
> It still probably makes sense to mask them.

Agree, although note this is not a problem specific to keystone, it seems
that every request containing context gets printed when using the oslo amqp
implementation with debug logging enabled:



I've just raised:


> > 3) if any other service is handling passwords, then we're doing
> > something very wrong
> Some other services peruse external credentials, for example for storage
> backends.
> > I don't see a reason for anything to go into oslo?
> I think his idea was to filter the thing generically in oslo's log.py...
> I agree that this password log filter in particular is very
> keystone-specific, so probably not very reusable.

Seems like (for the RPC code at least) the _safe_log() function is supposed
to do this, only it doesn't seem to be sanitising all potentially sensitive


OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org

More information about the OpenStack-dev mailing list