Discuss Fix for Bug #2003179
Hello, I am reaching out to start a discussion about Bug #2003179 https://bugs.launchpad.net/cinder/+bug/2003179 The password is getting leaked in plain text from https://opendev.org/openstack/oslo.privsep/src/commit/9c026804de74ae23a60ab3.... This logger line does not always contain a password so using mask_password() and mask_dict_password() from https://docs.openstack.org/oslo.utils/latest/reference/strutils.html is probably not the best solution. Anyone have any thoughts on how to stop the password from appearing in plain text? Thanks, Tony Internal Use - Confidential
i would proably fix thei the way we did in nova we instaled a log filter that prevents the preives deams logs at debug level form being logged. https://github.com/openstack/nova/blob/master/nova/config.py#L78-L80 https://github.com/openstack/nova/commit/86a8aac0d76fa149b5e43c73b31227fbcf4... cinder should also insatll a log filter to only log privsep log at info by default On Tue, 2023-05-16 at 15:11 +0000, Saad, Tony wrote:
Hello,
I am reaching out to start a discussion about Bug #2003179 https://bugs.launchpad.net/cinder/+bug/2003179
The password is getting leaked in plain text from https://opendev.org/openstack/oslo.privsep/src/commit/9c026804de74ae23a60ab3.... This logger line does not always contain a password so using mask_password() and mask_dict_password() from https://docs.openstack.org/oslo.utils/latest/reference/strutils.html is probably not the best solution. Anyone have any thoughts on how to stop the password from appearing in plain text?
Thanks, Tony
Internal Use - Confidential
On 16/05, Sean Mooney wrote:
i would proably fix thei the way we did in nova
we instaled a log filter that prevents the preives deams logs at debug level form being logged.
https://github.com/openstack/nova/blob/master/nova/config.py#L78-L80 https://github.com/openstack/nova/commit/86a8aac0d76fa149b5e43c73b31227fbcf4...
cinder should also insatll a log filter to only log privsep log at info by default
Hi, Thanks Sean for the suggestion, unfortunately we won't be going that route in os-brick for the time being, because those changes in Nova were the reasons why I had to add a feature to privsep [1] and os-brick [2]. Without nova logging privsep calls we were literally blind to know what was happening on attach and detach operations in the os-brick code, even with DEBUG log levels enabled in Nova using the `debug=true` config option. The workaround was to modify the log levels in the nova config explicitly, which no customer had to do before, so I had to write a KCS article explaining it [3]. For the record, this issue of the displayed password is also going to happen in later Nova releases now that we have separated os-brick and nova privsep logging levels. I think Eric has a very good suggestion [4] that should be easy to implement. Cheers, Gorka. [1]: https://review.opendev.org/c/openstack/oslo.privsep/+/784098 [2]: https://review.opendev.org/c/openstack/os-brick/+/871835 [3]: https://access.redhat.com/articles/5906971 [4]: https://bugs.launchpad.net/cinder/+bug/2003179/comments/7
On Tue, 2023-05-16 at 15:11 +0000, Saad, Tony wrote:
Hello,
I am reaching out to start a discussion about Bug #2003179 https://bugs.launchpad.net/cinder/+bug/2003179
The password is getting leaked in plain text from https://opendev.org/openstack/oslo.privsep/src/commit/9c026804de74ae23a60ab3.... This logger line does not always contain a password so using mask_password() and mask_dict_password() from https://docs.openstack.org/oslo.utils/latest/reference/strutils.html is probably not the best solution. Anyone have any thoughts on how to stop the password from appearing in plain text?
Thanks, Tony
Internal Use - Confidential
participants (3)
-
Gorka Eguileor
-
Saad, Tony
-
Sean Mooney