<p dir="ltr">This isn't logging on the service side, this is logging on the client because the user ran --debug. This isn't a big security issue other than a documentation or user educational one.</p>
<p dir="ltr">Natr</p>
<div class="gmail_quote">On Apr 29, 2014 9:07 AM, "Hao Wang" <<a href="mailto:hao.1.wang@gmail.com">hao.1.wang@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Adding security group...</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Apr 26, 2014 at 4:25 PM, Hao Wang <span dir="ltr"><<a href="mailto:hao.1.wang@gmail.com" target="_blank">hao.1.wang@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">It is the client. I got this message with DEBUG enabled:<div>curl -i '<a href="http://192.168.56.103:35357/v2.0/tokens" target="_blank">http://192.168.56.103:35357/v2.0/tokens</a>' -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-novaclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "admin"}}}'<br>
</div><div><br></div><div>It can be seen that username and password are right in the message.</div><span><font color="#888888"><div><br></div><div>Hao</div></font></span></div><div><div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Apr 26, 2014 at 4:08 PM, Aaron Knister <span dir="ltr"><<a href="mailto:aaron.knister@gmail.com" target="_blank">aaron.knister@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div>Was it the client or the server that exposed the credentials?<br><br>Sent from my iPhone</div><div>
<div><div><br>On Apr 26, 2014, at 2:28 PM, Hao Wang <<a href="mailto:hao.1.wang@gmail.com" target="_blank">hao.1.wang@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">Hi,</span><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px">I am troubleshooting a neutron case. It was just found that if DEBUG was enabled, neutron would print out JSON data with username and password. I am wondering what kind of protocol is used in production environment to prevent this security risk from happening.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">Thanks,</div><div style="font-family:arial,sans-serif;font-size:13px">Hao</div></div>
</div></blockquote></div></div><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></span><br>
<span>Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a></span><br><span>Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></span><br>
</div></blockquote></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
<br>_______________________________________________<br>
Openstack-security mailing list<br>
<a href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><br>
<br></blockquote></div>