[openstack-dev] passwords in logs --security related
Thierry Carrez
thierry at openstack.org
Mon Apr 22 12:11:08 UTC 2013
Dolph Mathews wrote:
> 1) passwords are currently logged by keystone when you enable debug mode
> (and there's a big warning in the sample.conf about passwords in plain text)
It still probably makes sense to mask them.
> 3) if any other service is handling passwords, then we're doing
> something very wrong
Some other services peruse external credentials, for example for storage
backends.
> I don't see a reason for anything to go into oslo?
I think his idea was to filter the thing generically in oslo's log.py...
I agree that this password log filter in particular is very
keystone-specific, so probably not very reusable.
--
Thierry Carrez (ttx)
Release Manager, OpenStack
More information about the OpenStack-dev
mailing list