[openstack-dev] passwords in logs --security related

Thierry Carrez thierry at openstack.org
Mon Apr 22 12:11:08 UTC 2013


Dolph Mathews wrote:
> 1) passwords are currently logged by keystone when you enable debug mode
> (and there's a big warning in the sample.conf about passwords in plain text)

It still probably makes sense to mask them.

> 3) if any other service is handling passwords, then we're doing
> something very wrong

Some other services peruse external credentials, for example for storage
backends.

> I don't see a reason for anything to go into oslo?

I think his idea was to filter the thing generically in oslo's log.py...
I agree that this password log filter in particular is very
keystone-specific, so probably not very reusable.

-- 
Thierry Carrez (ttx)
Release Manager, OpenStack



More information about the OpenStack-dev mailing list