[openstack-dev] passwords in logs --security related

Sandy Walsh sandy.walsh at RACKSPACE.COM
Tue Apr 23 11:34:16 UTC 2013


Yeah, I've submitted a bunch of patches to the exception decorator and notification code to strip passwords/tokens from leaking into events. 

I think we should consider creating an object for sensitive material that can hide itself when needed. All this raw-string stuff is unmanageable. It could live in Oslo.

-S

________________________________________
From: Steven Hardy [shardy at redhat.com]
Sent: Monday, April 22, 2013 9:55 AM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] passwords in logs --security related

On Mon, Apr 22, 2013 at 02:11:08PM +0200, Thierry Carrez wrote:
> Dolph Mathews wrote:
> > 1) passwords are currently logged by keystone when you enable debug mode
> > (and there's a big warning in the sample.conf about passwords in plain text)
>
> It still probably makes sense to mask them.

Agree, although note this is not a problem specific to keystone, it seems
that every request containing context gets printed when using the oslo amqp
implementation with debug logging enabled:

https://bugs.launchpad.net/heat/+bug/1166705

https://github.com/openstack/oslo-incubator/blob/master/openstack/common/rpc/amqp.py#L291

I've just raised:

https://bugs.launchpad.net/oslo/+bug/1171446

>
> > 3) if any other service is handling passwords, then we're doing
> > something very wrong
>
> Some other services peruse external credentials, for example for storage
> backends.
>
> > I don't see a reason for anything to go into oslo?
>
> I think his idea was to filter the thing generically in oslo's log.py...
> I agree that this password log filter in particular is very
> keystone-specific, so probably not very reusable.

Seems like (for the RPC code at least) the _safe_log() function is supposed
to do this, only it doesn't seem to be sanitising all potentially sensitive
keys.

Steve

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list