[openstack-dev] masking X-Auth-Token in debug output - proposed consistency

Jay Pipes jaypipes at gmail.com
Wed Jun 11 19:48:31 UTC 2014

On 06/11/2014 03:01 PM, Sean Dague wrote:
> We've had a few reviews recently going around to mask out X-Auth-Token
> from the python clients in the debug output. Currently there are a mix
> of ways this is done.
> In glanceclient (straight stricken)
> X-Auth-Token: ***
> The neutronclient proposal -
> https://review.openstack.org/#/c/93866/9/neutronclient/client.py is to
> use 'REDACTED'
> There is a novaclient patch in the gate that uses SHA1(<sha1oftoken>) -
> https://review.openstack.org/#/c/98443/
> Morgan was working on keystone.session patch -
> https://review.openstack.org/#/c/98443/
> after some back and forth we landed on {SHA1}<sha1oftoken> because
> that's actually LDAP standard for such things, and SHA1(...) looks too
> much like a function. I think that should probably be our final solution
> here.
> Why SHA1?
> While we want to get rid of the token from the logs, for both security
> and size reasons (5 - 10% of the logs in a gate run by bytes are
> actually keystone tokens), it's actually sometimes important to
> understand that *the same* token was used between 2 requests, or that 2
> different tokens were used. This is especially try with expiration times
> defaulting to 1 hr, and the fact that sometimes we have tests take
> longer than that (so we need to debug that we didn't rotate tokens when
> we should have).
> Because the keystone token is long (going north of 4k), and variable
> data length, and with different site data, these values should not be
> susceptible to a generic rainbow attack, so a single SHA1 seems
> sufficient. If there are objections to that, we can field something else
> there. It also has the advantage of being "batteries included" with all
> our supported versions of python.
> I'm hoping we can just ACK this approach, and get folks to start moving
> patches through the clients to clean this all up.
> If you have concerns, please bring them up now.

Sounds like an excellent plan, thx for the update, Sean.


More information about the OpenStack-dev mailing list