<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hi Team,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There are four solutions to fix the below bug:<o:p></o:p></p>
<p class="MsoNormal"><a href="https://bugs.launchpad.net/keystoneauth/+bug/1638978">https://bugs.launchpad.net/keystoneauth/+bug/1638978</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">1) Carry a copy of mask_password() method to keystoneauth from oslo_utils [1]:<o:p></o:p></p>
<p class="MsoNormal"><b>Pros:<o:p></o:p></b></p>
<p class="MsoNormal">A. keystoneauth will use already tested and used version of mask_password.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b>Cons:<o:p></o:p></b></p>
<p class="MsoNormal">A. keystoneauth will have to keep the version of mask_password() method sync with oslo_utils version.
<o:p></o:p></p>
<p class="MsoNormal"> If there are any new "_SANITIZE_KEYS" added to oslo_utils mask_password then those should be added in keystoneauth mask_password also.<o:p></o:p></p>
<p class="MsoNormal">B. Copying the "mask_password" will also require to copy its supporting code [2] which is huge.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">2) Use Oslo.utils mask_password() method in keystoneauth:<o:p></o:p></p>
<p class="MsoNormal"><b>Pros:<o:p></o:p></b></p>
<p class="MsoNormal">A) No synching issue as described in solution #1. keystoneauth will directly use mask_password() method from Oslo.utils.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b>Cons:<o:p></o:p></b></p>
<p class="MsoNormal">A) You will need oslo.utils library to use keystoneauth.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Objection by community:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">- keystoneauth community don't want any dependency on any of OpenStack common oslo libraries.<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in">Please refer to the comment from Morgan:
<a href="https://bugs.launchpad.net/keystoneauth/+bug/1700751/comments/3">https://bugs.launchpad.net/keystoneauth/+bug/1700751/comments/3</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">3) Add a custom logging filter in oslo logger<o:p></o:p></p>
<p class="MsoNormal">Please refer to POC sample here: <a href="http://paste.openstack.org/show/617093/">
http://paste.openstack.org/show/617093/</a><o:p></o:p></p>
<p class="MsoNormal">OpenStack core services using any OpenStack individual python-*client (for e.g python-cinderclient used in nova service) will need to pass oslo_logger object during it’s<o:p></o:p></p>
<p class="MsoNormal">initialization which will do the work of masking sensitive information.
<o:p></o:p></p>
<p class="MsoNormal">Note: In nova, oslo.logger object is not passed during cinder client initialization (<a href="https://github.com/openstack/nova/blob/master/nova/volume/cinder.py#L135-L141">https://github.com/openstack/nova/blob/master/nova/volume/cinder.py#L135-L141</a>),
<o:p></o:p></p>
<p class="MsoNormal">In this case, sensitive information will not be masked as it isn’t using Oslo.logger.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b>Pros:<o:p></o:p></b></p>
<p class="MsoNormal">A) No changes required in oslo.logger or any OpenStack services if mask_password method is modified in oslo.utils.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b>Cons:<o:p></o:p></b></p>
<p class="MsoNormal">A) Every log message will be scanned for certain password fields degrading the performance.<o:p></o:p></p>
<p class="MsoNormal">B) If consumer of keystoneauth doesn’t use oslo_logger, then the sensitive information will not be masked.<o:p></o:p></p>
<p class="MsoNormal">C) Will need to make changes wherever applicable to the OpenStack core services to pass oslo.logger object during python-novaclient initialization.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">4) Add mask_password formatter parameter in oslo_log:<o:p></o:p></p>
<p class="MsoNormal">Add "mask_password" formatter to sanitize sensitive data and pass it as a keyword argument to the log statement.<o:p></o:p></p>
<p class="MsoNormal">If the mask_password is set, then only the sensitive information will be masked at the time of logging.<o:p></o:p></p>
<p class="MsoNormal">The log statement will look like below: <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">logger.debug("'adminPass': 'Now you see me'"), mask_password=True)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please refer to the POC code here: <a href="http://paste.openstack.org/show/618019/">
http://paste.openstack.org/show/618019/</a><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b>Pros: <o:p></o:p></b></p>
<p class="MsoNormal">A) No changes required in oslo.logger or any OpenStack services if mask_password method is modified in oslo.utils.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>Cons:<o:p></o:p></b></p>
<p class="MsoNormal">A) If consumer of keystoneauth doesn’t use oslo_logger, then the sensitive information will not be masked.<o:p></o:p></p>
<p class="MsoNormal">B) If you forget to pass mask_password=True for logging messages where sensitive information is present, then those fields won't be masked with ***.
<o:p></o:p></p>
<p class="MsoNormal"> But this can be clearly documented as suggested by Morgan and Lance.<o:p></o:p></p>
<p class="MsoNormal">C) This solution requires you to add a below check in keystoneauth to avoid from an exception being raised in case logger is pure python Logger as it
<o:p></o:p></p>
<p class="MsoNormal"> doesn’t accept mask_password keyword argument.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">if isinstance(logger, logging.Logger):<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> logger.debug(' '.join(string_parts))<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">else:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> logger.debug(' '.join(string_parts), mask_password=True)<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">This check assumes that the logger instance will be oslo_log only if it is not of python default logging.Logger.<o:p></o:p></p>
<p class="MsoNormal">Keystoneauth community is not ready to have any dependency on any oslo-* lib, so it seems this solution has low acceptance chances.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please let me know your opinions about the above four approaches. Which one should we adopt?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[1] <a href="https://github.com/openstack/oslo.utils/blob/master/oslo_utils/strutils.py#L248-L313">
https://github.com/openstack/oslo.utils/blob/master/oslo_utils/strutils.py#L248-L313</a><o:p></o:p></p>
<p class="MsoNormal">[2] <a href="https://github.com/openstack/oslo.utils/blob/6e04f882c4308ff64fa199d1b127ad225e0a30c4/oslo_utils/strutils.py#L56-L96">
https://github.com/openstack/oslo.utils/blob/6e04f882c4308ff64fa199d1b127ad225e0a30c4/oslo_utils/strutils.py#L56-L96</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-IN" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">Thanks and Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-IN" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">Dinesh Bhor</span></b><span lang="EN-IN" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"> | App. Software Dev. Cnslt.<b><o:p></o:p></b></span></p>
<p class="MsoNormal" style="margin-bottom:6.0pt"><u><span lang="EN-IN" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#3F16EE"><a href="mailto:dinesh.bhor@nttdata.com">dinesh.bhor@nttdata.com</a></span></u><span lang="EN-IN" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">
</span><b><span lang="EN-IN" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">| VOIP. 8833.8395I
</span></b><span lang="EN-IN" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">|
</span><span lang="EN-IN" style="color:#1F497D"><a href="http://nttdata.com/americas"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#6785C1">nttdata.com/americas</span></a></span><span lang="EN-IN" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#090909"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-IN" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">NTT DATA, Inc.</span></b><span lang="EN-IN" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-IN" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">Consulting | Digital | Managed Services | Industry Solutions<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IN" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">Learn more:<o:p></o:p></span></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr style="height:1.0pt">
<td width="34" valign="top" style="width:25.4pt;padding:0in 2.9pt 0in 0in;height:1.0pt">
<p class="MsoNormal"><a href="http://americas.nttdata.com/"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D;text-decoration:none"><img border="0" width="29" height="29" id="Picture_x0020_8" src="cid:image001.jpg@01D337B3.2CC8D7F0" alt="Description: Description: cid:image005.jpg@01D193F0.F70B44C0"></span></a><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p></o:p></span></p>
</td>
<td width="34" valign="top" style="width:25.4pt;padding:0in 2.9pt 0in 0in;height:1.0pt">
<p class="MsoNormal"><a href="http://www.linkedin.com/company/ntt-data-americas"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D;text-decoration:none"><img border="0" width="29" height="29" id="Picture_x0020_7" src="cid:image002.jpg@01D337B3.2CC8D7F0" alt="Description: Description: cid:image009.jpg@01D193F0.F70B44C0"></span></a><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p></o:p></span></p>
</td>
<td width="34" valign="top" style="width:25.4pt;padding:0in 2.9pt 0in 0in;height:1.0pt">
<p class="MsoNormal"><a href="https://twitter.com/NTTDATAAmericas"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D;text-decoration:none"><img border="0" width="29" height="29" id="Picture_x0020_6" src="cid:image003.jpg@01D337B3.2CC8D7F0" alt="Description: Description: cid:image010.jpg@01D193F0.F70B44C0"></span></a><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p></o:p></span></p>
</td>
<td width="34" valign="top" style="width:25.4pt;padding:0in 2.9pt 0in 0in;height:1.0pt">
<p class="MsoNormal"><a href="https://www.facebook.com/NTTDATAAmericas"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D;text-decoration:none"><img border="0" width="29" height="29" id="Picture_x0020_5" src="cid:image004.jpg@01D337B3.2CC8D7F0" alt="Description: Description: cid:image011.jpg@01D193F0.F70B44C0"></span></a><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br clear="both">
______________________________________________________________________<BR>
Disclaimer: This email and any attachments are sent in strictest confidence<BR>
for the sole use of the addressee and may contain legally privileged,<BR>
confidential, and proprietary data. If you are not the intended recipient,<BR>
please advise the sender by replying promptly to this email and then delete<BR>
and destroy this email and any attachments without any further use, copying<BR>
or forwarding.<BR>
</body>
</html>