Open Stack

Hi Travis,

By and large we have addressed this in the Session code within Keystoneclient via the function here (and other similar cases): https://github.com/openstack/python-keystoneclient/blob/01cabf6bbbee8b5340295f3be5e1fa7111387e7d/keystoneclient/session.py#L126-L131

If/when Glanceclient is moved to consuming the session code, it should help alleviate the issues with printing the Token ID’s in the logs themselves.

Along with the changes for the session code, all tokens issued from Keystone (Juno and beyond) will also include audit_id fields that are safe to use in logging (they are part of the token data). There are two elements to the audit_ids field, the first (will always exist) and is the local token’s audit_id (audit ids are randomly generated and should be considered as globally unique as a UUID). The second element will exist if the token has ever been part of a rescope (exchange of a token for another token of a different scope, e.g. changing to a new project/tenant). The second audit_id is the audit_id of the first token in the chain (unique for the entire chain of tokens).

I don’t believe we’re exposing the audit_ids yet to the services behind the auth_token middleware nor using them for logging in cases such as the above linked logging function. I would like to eventually see the audit_ids used (where they exist) for logging cases like this.

I’m sure Jamie Lennox can chime in and provide a bit more insight as to the status of converting Glanceclient to using session as I know he’s been working on the client front in this regard. I hope that sometime within the K development cycle timeline we will be converting the logging over to audit_ids where possible (but that has not been 100% decided on).

Cheers,
Morgan

—
Morgan Fainberg


-----Original Message-----
From: Tripp, Travis S <travis.tripp at hp.com>
Reply: OpenStack Development Mailing List (not for usage questions) <openstack-dev at lists.openstack.org>>
Date: September 11, 2014 at 17:35:30
To: OpenStack Development Mailing List (not for usage questions) <openstack-dev at lists.openstack.org>>
Subject:  [openstack-dev] masking X-Auth-Token in debug output - proposed consistency

> Hi All,
>  
> I'm just helping with bug triage in Glance and we've got a bug to update how tokens are redacted  
> in the glanceclient [1]. It says to update to whatever cross-project approach is agreed  
> upon and references this thread:
>  
> http://lists.openstack.org/pipermail/openstack-dev/2014-June/037345.html  
>  
> I just went through the thread and as best as I can tell there wasn't a conclusion in the  
> ML. However, if we are going to do anything, IMO the thread leans toward {SHA1},  
> with Morgan Fainberg dissenting. However, he references a patch that was ultimately  
> abandoned.
>  
> If there was a conclusion to this, please let me know so I can update and work on closing  
> this bug.
>  
> [1] https://bugs.launchpad.net/python-glanceclient/+bug/1329301
>  
> Thanks,
> Travis
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>