<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 09/27/2017 06:38 AM, Bhor, Dinesh
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:BN6PR12MB19391D7BDC59EA8C419318F1EF780@BN6PR12MB1939.namprd12.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Team,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There are four solutions to fix the below
bug:<o:p></o:p></p>
<p class="MsoNormal"><a
href="https://bugs.launchpad.net/keystoneauth/+bug/1638978"
moz-do-not-send="true">https://bugs.launchpad.net/keystoneauth/+bug/1638978</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">1) Carry a copy of mask_password() method
to keystoneauth from oslo_utils [1]:<o:p></o:p></p>
<p class="MsoNormal"><b>Pros:<o:p></o:p></b></p>
<p class="MsoNormal">A. keystoneauth will use already tested and
used version of mask_password.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b>Cons:<o:p></o:p></b></p>
<p class="MsoNormal">A. keystoneauth will have to keep the
version of mask_password() method sync with oslo_utils
version.
<o:p></o:p></p>
<p class="MsoNormal"> If there are any new "_SANITIZE_KEYS"
added to oslo_utils mask_password then those should be added
in keystoneauth mask_password also.<o:p></o:p></p>
<p class="MsoNormal">B. Copying the "mask_password" will also
require to copy its supporting code [2] which is huge.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
I'm having flashbacks of the oslo-incubator days...<br>
<br>
<blockquote type="cite"
cite="mid:BN6PR12MB19391D7BDC59EA8C419318F1EF780@BN6PR12MB1939.namprd12.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">2) Use Oslo.utils mask_password() method in
keystoneauth:<o:p></o:p></p>
<p class="MsoNormal"><b>Pros:<o:p></o:p></b></p>
<p class="MsoNormal">A) No synching issue as described in
solution #1. keystoneauth will directly use mask_password()
method from Oslo.utils.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b>Cons:<o:p></o:p></b></p>
<p class="MsoNormal">A) You will need oslo.utils library to use
keystoneauth.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Objection by
community:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">- keystoneauth
community don't want any dependency on any of OpenStack common
oslo libraries.<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in">Please refer to
the comment from Morgan:
<a
href="https://bugs.launchpad.net/keystoneauth/+bug/1700751/comments/3"
moz-do-not-send="true">https://bugs.launchpad.net/keystoneauth/+bug/1700751/comments/3</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">3) Add a custom logging filter in oslo
logger<o:p></o:p></p>
<p class="MsoNormal">Please refer to POC sample here: <a
href="http://paste.openstack.org/show/617093/"
moz-do-not-send="true">
http://paste.openstack.org/show/617093/</a><o:p></o:p></p>
<p class="MsoNormal">OpenStack core services using any OpenStack
individual python-*client (for e.g python-cinderclient used in
nova service) will need to pass oslo_logger object during it’s<o:p></o:p></p>
<p class="MsoNormal">initialization which will do the work of
masking sensitive information.
<o:p></o:p></p>
<p class="MsoNormal">Note: In nova, oslo.logger object is not
passed during cinder client initialization (<a
href="https://github.com/openstack/nova/blob/master/nova/volume/cinder.py#L135-L141"
moz-do-not-send="true">https://github.com/openstack/nova/blob/master/nova/volume/cinder.py#L135-L141</a>),
<o:p></o:p></p>
<p class="MsoNormal">In this case, sensitive information will
not be masked as it isn’t using Oslo.logger.</p>
</div>
</blockquote>
<blockquote type="cite"
cite="mid:BN6PR12MB19391D7BDC59EA8C419318F1EF780@BN6PR12MB1939.namprd12.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b>Pros:<o:p></o:p></b></p>
<p class="MsoNormal">A) No changes required in oslo.logger or
any OpenStack services if mask_password method is modified in
oslo.utils.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b>Cons:<o:p></o:p></b></p>
<p class="MsoNormal">A) Every log message will be scanned for
certain password fields degrading the performance.<o:p></o:p></p>
<p class="MsoNormal">B) If consumer of keystoneauth doesn’t use
oslo_logger, then the sensitive information will not be
masked.<o:p></o:p></p>
<p class="MsoNormal">C) Will need to make changes wherever
applicable to the OpenStack core services to pass oslo.logger
object during python-novaclient initialization.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">4) Add mask_password formatter parameter in
oslo_log:<o:p></o:p></p>
<p class="MsoNormal">Add "mask_password" formatter to sanitize
sensitive data and pass it as a keyword argument to the log
statement.<o:p></o:p></p>
<p class="MsoNormal">If the mask_password is set, then only the
sensitive information will be masked at the time of logging.<o:p></o:p></p>
<p class="MsoNormal">The log statement will look like below: <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">logger.debug("'adminPass': 'Now you see
me'"), mask_password=True)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please refer to the POC code here: <a
href="http://paste.openstack.org/show/618019/"
moz-do-not-send="true">
http://paste.openstack.org/show/618019/</a><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b>Pros: <o:p></o:p></b></p>
<p class="MsoNormal">A) No changes required in oslo.logger or
any OpenStack services if mask_password method is modified in
oslo.utils.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>Cons:<o:p></o:p></b></p>
<p class="MsoNormal">A) If consumer of keystoneauth doesn’t use
oslo_logger, then the sensitive information will not be
masked.<o:p></o:p></p>
<p class="MsoNormal">B) If you forget to pass mask_password=True
for logging messages where sensitive information is present,
then those fields won't be masked with ***.
<o:p></o:p></p>
<p class="MsoNormal"> But this can be clearly documented as
suggested by Morgan and Lance.<o:p></o:p></p>
<p class="MsoNormal">C) This solution requires you to add a
below check in keystoneauth to avoid from an exception being
raised in case logger is pure python Logger as it
<o:p></o:p></p>
<p class="MsoNormal"> doesn’t accept mask_password keyword
argument.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">if
isinstance(logger, logging.Logger):<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> logger.debug('
'.join(string_parts))<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">else:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> logger.debug('
'.join(string_parts), mask_password=True)<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">This check assumes that the logger instance
will be oslo_log only if it is not of python default
logging.Logger.<o:p></o:p></p>
<p class="MsoNormal">Keystoneauth community is not ready to have
any dependency on any oslo-* lib, so it seems this solution
has low acceptance chances.</p>
</div>
</blockquote>
<br>
Options 2, 3, and 4 all require dependencies on oslo in order to
work, which is a non-starter according to Morgan's comment in the
bug [0]. Options 3 and 4 will require a refactor to get keystoneauth
to use oslo.log (today it uses the logging module from Python's
standard library).<br>
<br>
[0] <a class="moz-txt-link-freetext" href="https://bugs.launchpad.net/keystoneauth/+bug/1700751/comments/3">https://bugs.launchpad.net/keystoneauth/+bug/1700751/comments/3</a><br>
<br>
<blockquote type="cite"
cite="mid:BN6PR12MB19391D7BDC59EA8C419318F1EF780@BN6PR12MB1939.namprd12.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please let me know your opinions about the
above four approaches. Which one should we adopt?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[1] <a
href="https://github.com/openstack/oslo.utils/blob/master/oslo_utils/strutils.py#L248-L313"
moz-do-not-send="true">
https://github.com/openstack/oslo.utils/blob/master/oslo_utils/strutils.py#L248-L313</a><o:p></o:p></p>
<p class="MsoNormal">[2] <a
href="https://github.com/openstack/oslo.utils/blob/6e04f882c4308ff64fa199d1b127ad225e0a30c4/oslo_utils/strutils.py#L56-L96"
moz-do-not-send="true">
https://github.com/openstack/oslo.utils/blob/6e04f882c4308ff64fa199d1b127ad225e0a30c4/oslo_utils/strutils.py#L56-L96</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"
lang="EN-IN">Thanks and Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"
lang="EN-IN">Dinesh Bhor</span></b><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"
lang="EN-IN"> | App. Software Dev. Cnslt.<b><o:p></o:p></b></span></p>
<p class="MsoNormal" style="margin-bottom:6.0pt"><u><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#3F16EE"
lang="EN-IN"><a href="mailto:dinesh.bhor@nttdata.com"
moz-do-not-send="true">dinesh.bhor@nttdata.com</a></span></u><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"
lang="EN-IN">
</span><b><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"
lang="EN-IN">| VOIP. 8833.8395I
</span></b><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"
lang="EN-IN">|
</span><span style="color:#1F497D" lang="EN-IN"><a
href="http://nttdata.com/americas" moz-do-not-send="true"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#6785C1">nttdata.com/americas</span></a></span><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#090909"
lang="EN-IN"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"
lang="EN-IN">NTT DATA, Inc.</span></b><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"
lang="EN-IN"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"
lang="EN-IN">Consulting | Digital | Managed Services |
Industry Solutions<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"
lang="EN-IN">Learn more:<o:p></o:p></span></p>
<table class="MsoNormalTable" style="border-collapse:collapse"
border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr style="height:1.0pt">
<td style="width:25.4pt;padding:0in 2.9pt 0in
0in;height:1.0pt" width="34" valign="top">
<p class="MsoNormal"><a
href="http://americas.nttdata.com/"
moz-do-not-send="true"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D;text-decoration:none"><img
id="Picture_x0020_8"
src="cid:part10.390B5C62.3EB1178D@gmail.com"
alt="Description: Description:
cid:image005.jpg@01D193F0.F70B44C0" class=""
border="0" width="29" height="29"></span></a><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p></o:p></span></p>
</td>
<td style="width:25.4pt;padding:0in 2.9pt 0in
0in;height:1.0pt" width="34" valign="top">
<p class="MsoNormal"><a
href="http://www.linkedin.com/company/ntt-data-americas"
moz-do-not-send="true"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D;text-decoration:none"><img
id="Picture_x0020_7"
src="cid:part12.41027CC3.FC3E0F71@gmail.com"
alt="Description: Description:
cid:image009.jpg@01D193F0.F70B44C0" class=""
border="0" width="29" height="29"></span></a><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p></o:p></span></p>
</td>
<td style="width:25.4pt;padding:0in 2.9pt 0in
0in;height:1.0pt" width="34" valign="top">
<p class="MsoNormal"><a
href="https://twitter.com/NTTDATAAmericas"
moz-do-not-send="true"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D;text-decoration:none"><img
id="Picture_x0020_6"
src="cid:part14.32AE7691.F357C81B@gmail.com"
alt="Description: Description:
cid:image010.jpg@01D193F0.F70B44C0" class=""
border="0" width="29" height="29"></span></a><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p></o:p></span></p>
</td>
<td style="width:25.4pt;padding:0in 2.9pt 0in
0in;height:1.0pt" width="34" valign="top">
<p class="MsoNormal"><a
href="https://www.facebook.com/NTTDATAAmericas"
moz-do-not-send="true"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D;text-decoration:none"><img
id="Picture_x0020_5"
src="cid:part16.681346A5.7FAEE55D@gmail.com"
alt="Description: Description:
cid:image011.jpg@01D193F0.F70B44C0" class=""
border="0" width="29" height="29"></span></a><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br clear="all">
______________________________________________________________________<br>
Disclaimer: This email and any attachments are sent in strictest
confidence<br>
for the sole use of the addressee and may contain legally
privileged,<br>
confidential, and proprietary data. If you are not the intended
recipient,<br>
please advise the sender by replying promptly to this email and
then delete<br>
and destroy this email and any attachments without any further
use, copying<br>
or forwarding.<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>