<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 18, 2015 at 9:48 AM, Ruby Loo <span dir="ltr"><<a href="mailto:rlooyahoo@gmail.com" target="_blank">rlooyahoo@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>I think we all agree that it isn't OK to log credentials (like passwords) in DEBUG logs. However, what about other information that might be sensitive? A patch was recently submitted to log (in debug) the SWIFT temporary URL [1]. I agree that it would be useful for debugging, but since that temporary URL could be used (by someone that has access to the logs but no admin access to ironic/glance) eg for fetching private images, is it OK?</div><div><br></div><div>Even though we say that debug shouldn't be used in production, we can't enforce what folks choose to do. And we know of at least one company that runs their production environment with the debug setting. Which isn't to say we shouldn't put things in debug, but I think it would be useful to have some guidelines as to what we can safely expose or not.</div><div><br></div><div>I took a quick look at the security web page [2] but nothing jumped out at me wrt this issue.</div><div><br></div><div>Thoughts?</div><div><br></div><div>--ruby<br><div><div><br></div><div>[1] <a href="https://review.openstack.org/#/c/243141/" target="_blank">https://review.openstack.org/#/c/243141/</a></div></div></div><div>[2] <a href="https://security.openstack.org" target="_blank">https://security.openstack.org</a></div></div>
<br></blockquote><div><br></div>In this context, the URL is a time-limited access code being used in place of a password or keystone auth token to allow an unprivileged client temporary access to a specific privileged resource, without granting that client access to any other resources. In some cases, that resource might be a public Glance image and so one might say, "oh, it's not _that_ sensitive". However, the same module being affected by [1] is also used by the iLO driver to upload a temporary image containing sensitive instance-specific data.<div><br></div><div>I agree that it's not the same risk as exposing a password, but I still consider this an access token, and therefore don't think it should be written to log files, even at DEBUG.</div><div><br></div><div>-Deva </div></div><br></div></div>