[openstack-dev] passwords in logs --security related
Steven Hardy
shardy at redhat.com
Mon Apr 22 12:55:01 UTC 2013
On Mon, Apr 22, 2013 at 02:11:08PM +0200, Thierry Carrez wrote:
> Dolph Mathews wrote:
> > 1) passwords are currently logged by keystone when you enable debug mode
> > (and there's a big warning in the sample.conf about passwords in plain text)
>
> It still probably makes sense to mask them.
Agree, although note this is not a problem specific to keystone, it seems
that every request containing context gets printed when using the oslo amqp
implementation with debug logging enabled:
https://bugs.launchpad.net/heat/+bug/1166705
https://github.com/openstack/oslo-incubator/blob/master/openstack/common/rpc/amqp.py#L291
I've just raised:
https://bugs.launchpad.net/oslo/+bug/1171446
>
> > 3) if any other service is handling passwords, then we're doing
> > something very wrong
>
> Some other services peruse external credentials, for example for storage
> backends.
>
> > I don't see a reason for anything to go into oslo?
>
> I think his idea was to filter the thing generically in oslo's log.py...
> I agree that this password log filter in particular is very
> keystone-specific, so probably not very reusable.
Seems like (for the RPC code at least) the _safe_log() function is supposed
to do this, only it doesn't seem to be sanitising all potentially sensitive
keys.
Steve
More information about the OpenStack-dev
mailing list