[openstack-dev] masking X-Auth-Token in debug output - proposed consistency

Sean Dague sean at dague.net
Thu Jun 12 11:09:55 UTC 2014

On 06/12/2014 12:33 AM, Morgan Fainberg wrote:
> I’ve been looking over the code for this and it turns out plain old SHA1
> is a bad idea.  We recently had a patch land in keystone client and
> keystone to let us configure the hashing algorithm used for token
> revocation list and the short-token ids. 
> I’ve updated my patch set to use ‘{OBSCURED}%(token)s’ instead of
> specifying a specific obscuring algorithm. This means that if we ever
> update the way we obscure the data in the future, we’re not lying about
> what was done in the log. The proposed approach can be found
> here: https://review.openstack.org/#/c/99432

With that we lose the ability to let an admin confirm the clients had
the right token (having access to the admin db).

I actually kind of like telling people what the algorithm is that we
generated this with for crossverifying. Especially as they may not have
access to the source code to know which algo was in effect.


Sean Dague

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140612/e468b4a9/attachment.pgp>

More information about the OpenStack-dev mailing list