<div dir="auto">Another option, pass log=False which we currently do for all the auth requests. This will prevent debug printing the body at all, so con, by default you can't see that message, but it's there because I never wanted to mess around with masking individual service's secrets like this.</div><div class="gmail_extra"><br><div class="gmail_quote">On 29 Sep. 2017 11:49 pm, "Lance Bragstad" <<a href="mailto:lbragstad@gmail.com">lbragstad@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<br>
<div class="m_7531828877334540130moz-cite-prefix">On 09/27/2017 06:38 AM, Bhor, Dinesh
wrote:<br>
</div>
<blockquote type="cite">
<div class="m_7531828877334540130WordSection1">
<p class="MsoNormal">Hi Team,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">There are four solutions to fix the below
bug:<u></u><u></u></p>
<p class="MsoNormal"><a href="https://bugs.launchpad.net/keystoneauth/+bug/1638978" target="_blank">https://bugs.launchpad.net/<wbr>keystoneauth/+bug/1638978</a><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">1) Carry a copy of mask_password() method
to keystoneauth from oslo_utils [1]:<u></u><u></u></p>
<p class="MsoNormal"><b>Pros:<u></u><u></u></b></p>
<p class="MsoNormal">A. keystoneauth will use already tested and
used version of mask_password.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><b>Cons:<u></u><u></u></b></p>
<p class="MsoNormal">A. keystoneauth will have to keep the
version of mask_password() method sync with oslo_utils
version.
<u></u><u></u></p>
<p class="MsoNormal"> If there are any new "_SANITIZE_KEYS"
added to oslo_utils mask_password then those should be added
in keystoneauth mask_password also.<u></u><u></u></p>
<p class="MsoNormal">B. Copying the "mask_password" will also
require to copy its supporting code [2] which is huge.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</blockquote>
<br>
I'm having flashbacks of the oslo-incubator days...<br>
<br>
<blockquote type="cite">
<div class="m_7531828877334540130WordSection1">
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">2) Use Oslo.utils mask_password() method in
keystoneauth:<u></u><u></u></p>
<p class="MsoNormal"><b>Pros:<u></u><u></u></b></p>
<p class="MsoNormal">A) No synching issue as described in
solution #1. keystoneauth will directly use mask_password()
method from Oslo.utils.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><b>Cons:<u></u><u></u></b></p>
<p class="MsoNormal">A) You will need oslo.utils library to use
keystoneauth.<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:.5in">Objection by
community:<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:.5in">- keystoneauth
community don't want any dependency on any of OpenStack common
oslo libraries.<u></u><u></u></p>
<p class="MsoNormal" style="text-indent:.5in">Please refer to
the comment from Morgan:
<a href="https://bugs.launchpad.net/keystoneauth/+bug/1700751/comments/3" target="_blank">https://bugs.launchpad.net/<wbr>keystoneauth/+bug/1700751/<wbr>comments/3</a><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">3) Add a custom logging filter in oslo
logger<u></u><u></u></p>
<p class="MsoNormal">Please refer to POC sample here: <a href="http://paste.openstack.org/show/617093/" target="_blank">
http://paste.openstack.org/<wbr>show/617093/</a><u></u><u></u></p>
<p class="MsoNormal">OpenStack core services using any OpenStack
individual python-*client (for e.g python-cinderclient used in
nova service) will need to pass oslo_logger object during it’s<u></u><u></u></p>
<p class="MsoNormal">initialization which will do the work of
masking sensitive information.
<u></u><u></u></p>
<p class="MsoNormal">Note: In nova, oslo.logger object is not
passed during cinder client initialization (<a href="https://github.com/openstack/nova/blob/master/nova/volume/cinder.py#L135-L141" target="_blank">https://github.com/openstack/<wbr>nova/blob/master/nova/volume/<wbr>cinder.py#L135-L141</a>),
<u></u><u></u></p>
<p class="MsoNormal">In this case, sensitive information will
not be masked as it isn’t using Oslo.logger.</p>
</div>
</blockquote>
<blockquote type="cite">
<div class="m_7531828877334540130WordSection1">
<p class="MsoNormal"><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><b>Pros:<u></u><u></u></b></p>
<p class="MsoNormal">A) No changes required in oslo.logger or
any OpenStack services if mask_password method is modified in
oslo.utils.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><b>Cons:<u></u><u></u></b></p>
<p class="MsoNormal">A) Every log message will be scanned for
certain password fields degrading the performance.<u></u><u></u></p>
<p class="MsoNormal">B) If consumer of keystoneauth doesn’t use
oslo_logger, then the sensitive information will not be
masked.<u></u><u></u></p>
<p class="MsoNormal">C) Will need to make changes wherever
applicable to the OpenStack core services to pass oslo.logger
object during python-novaclient initialization.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">4) Add mask_password formatter parameter in
oslo_log:<u></u><u></u></p>
<p class="MsoNormal">Add "mask_password" formatter to sanitize
sensitive data and pass it as a keyword argument to the log
statement.<u></u><u></u></p>
<p class="MsoNormal">If the mask_password is set, then only the
sensitive information will be masked at the time of logging.<u></u><u></u></p>
<p class="MsoNormal">The log statement will look like below: <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">logger.debug("'adminPass': 'Now you see
me'"), mask_password=True)<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Please refer to the POC code here: <a href="http://paste.openstack.org/show/618019/" target="_blank">
http://paste.openstack.org/<wbr>show/618019/</a><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><b>Pros: <u></u><u></u></b></p>
<p class="MsoNormal">A) No changes required in oslo.logger or
any OpenStack services if mask_password method is modified in
oslo.utils.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><b>Cons:<u></u><u></u></b></p>
<p class="MsoNormal">A) If consumer of keystoneauth doesn’t use
oslo_logger, then the sensitive information will not be
masked.<u></u><u></u></p>
<p class="MsoNormal">B) If you forget to pass mask_password=True
for logging messages where sensitive information is present,
then those fields won't be masked with ***.
<u></u><u></u></p>
<p class="MsoNormal"> But this can be clearly documented as
suggested by Morgan and Lance.<u></u><u></u></p>
<p class="MsoNormal">C) This solution requires you to add a
below check in keystoneauth to avoid from an exception being
raised in case logger is pure python Logger as it
<u></u><u></u></p>
<p class="MsoNormal"> doesn’t accept mask_password keyword
argument.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal" style="margin-left:.5in">if
isinstance(logger, logging.Logger):<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:.5in"> logger.debug('
'.join(string_parts))<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:.5in">else:<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:.5in"> logger.debug('
'.join(string_parts), mask_password=True)<u></u><u></u></p>
<p class="MsoNormal"> <wbr> <u></u><u></u></p>
<p class="MsoNormal">This check assumes that the logger instance
will be oslo_log only if it is not of python default
logging.Logger.<u></u><u></u></p>
<p class="MsoNormal">Keystoneauth community is not ready to have
any dependency on any oslo-* lib, so it seems this solution
has low acceptance chances.</p>
</div>
</blockquote>
<br>
Options 2, 3, and 4 all require dependencies on oslo in order to
work, which is a non-starter according to Morgan's comment in the
bug [0]. Options 3 and 4 will require a refactor to get keystoneauth
to use oslo.log (today it uses the logging module from Python's
standard library).<br>
<br>
[0] <a class="m_7531828877334540130moz-txt-link-freetext" href="https://bugs.launchpad.net/keystoneauth/+bug/1700751/comments/3" target="_blank">https://bugs.launchpad.net/<wbr>keystoneauth/+bug/1700751/<wbr>comments/3</a><br>
<br>
<blockquote type="cite">
<div class="m_7531828877334540130WordSection1">
<p class="MsoNormal"><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Please let me know your opinions about the
above four approaches. Which one should we adopt?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">[1] <a href="https://github.com/openstack/oslo.utils/blob/master/oslo_utils/strutils.py#L248-L313" target="_blank">
https://github.com/openstack/<wbr>oslo.utils/blob/master/oslo_<wbr>utils/strutils.py#L248-L313</a><u></u><u></u></p>
<p class="MsoNormal">[2] <a href="https://github.com/openstack/oslo.utils/blob/6e04f882c4308ff64fa199d1b127ad225e0a30c4/oslo_utils/strutils.py#L56-L96" target="_blank">
https://github.com/openstack/<wbr>oslo.utils/blob/<wbr>6e04f882c4308ff64fa199d1b127ad<wbr>225e0a30c4/oslo_utils/<wbr>strutils.py#L56-L96</a><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black" lang="EN-IN">Thanks and Regards,<u></u><u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black" lang="EN-IN">Dinesh Bhor</span></b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black" lang="EN-IN"> | App. Software Dev. Cnslt.<b><u></u><u></u></b></span></p>
<p class="MsoNormal" style="margin-bottom:6.0pt"><u><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#3f16ee" lang="EN-IN"><a href="mailto:dinesh.bhor@nttdata.com" target="_blank">dinesh.bhor@nttdata.com</a></span></u><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1f497d" lang="EN-IN">
</span><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black" lang="EN-IN">| VOIP. 8833.8395I
</span></b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black" lang="EN-IN">|
</span><span style="color:#1f497d" lang="EN-IN"><a href="http://nttdata.com/americas" target="_blank"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#6785c1">nttdata.com/americas</span></a></span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#090909" lang="EN-IN"><u></u><u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black" lang="EN-IN">NTT DATA, Inc.</span></b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black" lang="EN-IN"><u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black" lang="EN-IN">Consulting | Digital | Managed Services |
Industry Solutions<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black" lang="EN-IN">Learn more:<u></u><u></u></span></p>
<table class="m_7531828877334540130MsoNormalTable" style="border-collapse:collapse" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr style="height:1.0pt">
<td style="width:25.4pt;padding:0in 2.9pt 0in 0in;height:1.0pt" width="34" valign="top">
<p class="MsoNormal"><a href="http://americas.nttdata.com/" target="_blank"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1f497d;text-decoration:none"><img id="m_7531828877334540130Picture_x0020_8" src="cid:part10.390B5C62.3EB1178D@gmail.com" alt="Description: Description:
cid:image005.jpg@01D193F0.F70B44C0" border="0" width="29" height="29"></span></a><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1f497d"><u></u><u></u></span></p>
</td>
<td style="width:25.4pt;padding:0in 2.9pt 0in 0in;height:1.0pt" width="34" valign="top">
<p class="MsoNormal"><a href="http://www.linkedin.com/company/ntt-data-americas" target="_blank"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1f497d;text-decoration:none"><img id="m_7531828877334540130Picture_x0020_7" src="cid:part12.41027CC3.FC3E0F71@gmail.com" alt="Description: Description:
cid:image009.jpg@01D193F0.F70B44C0" border="0" width="29" height="29"></span></a><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1f497d"><u></u><u></u></span></p>
</td>
<td style="width:25.4pt;padding:0in 2.9pt 0in 0in;height:1.0pt" width="34" valign="top">
<p class="MsoNormal"><a href="https://twitter.com/NTTDATAAmericas" target="_blank"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1f497d;text-decoration:none"><img id="m_7531828877334540130Picture_x0020_6" src="cid:part14.32AE7691.F357C81B@gmail.com" alt="Description: Description:
cid:image010.jpg@01D193F0.F70B44C0" border="0" width="29" height="29"></span></a><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1f497d"><u></u><u></u></span></p>
</td>
<td style="width:25.4pt;padding:0in 2.9pt 0in 0in;height:1.0pt" width="34" valign="top">
<p class="MsoNormal"><a href="https://www.facebook.com/NTTDATAAmericas" target="_blank"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1f497d;text-decoration:none"><img id="m_7531828877334540130Picture_x0020_5" src="cid:part16.681346A5.7FAEE55D@gmail.com" alt="Description: Description:
cid:image011.jpg@01D193F0.F70B44C0" border="0" width="29" height="29"></span></a><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1f497d"><u></u><u></u></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<br clear="all">
______________________________<wbr>______________________________<wbr>__________<br>
Disclaimer: This email and any attachments are sent in strictest
confidence<br>
for the sole use of the addressee and may contain legally
privileged,<br>
confidential, and proprietary data. If you are not the intended
recipient,<br>
please advise the sender by replying promptly to this email and
then delete<br>
and destroy this email and any attachments without any further
use, copying<br>
or forwarding.<br>
<br>
<fieldset class="m_7531828877334540130mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>______________________________<wbr>______________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="m_7531828877334540130moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a>
<a class="m_7531828877334540130moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a>
</pre>
</blockquote>
<br>
</div>
<br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
<br></blockquote></div></div>