[openstack-dev] masking X-Auth-Token in debug output - proposed consistency

Sean Dague sean at dague.net
Thu Jun 12 11:59:39 UTC 2014


On 06/12/2014 07:42 AM, Chmouel Boudjnah wrote:
> On Thu, Jun 12, 2014 at 12:58 PM, Chmouel Boudjnah <chmouel at enovance.com
> <mailto:chmouel at enovance.com>> wrote:
> 
> 
>     On Wed, Jun 11, 2014 at 9:47 PM, Sean Dague <sean at dague.net
>     <mailto:sean at dague.net>> wrote:
> 
>         Actually swiftclient is one of the biggest offenders in the gate -
>         http://logs.openstack.org/96/99396/1/check/check-tempest-dsvm-full/4501fc8/logs/screen-g-api.txt.gz#_2014-06-11_15_20_11_078
> 
> 
> 
>     I'd be happy to fix that but that would make the --debug option
>     innefective right? Is it addressed in a different way in other clients?

The only thing it makes harder is you have to generate your own token to
run the curl command. The rest is there. Because everyone is running our
servers at debug levels, it means the clients are going to be running
debug level as well (yay python logging!), so this is something I don't
think people realized was a huge issue.

> Anyway I have sent a patch for swiftclient for this in :
> 
> https://review.openstack.org/#/c/99632/1
> 
> Personally I don't think I like much that SHA1 and i'd rather use the
> first 16 bytes of the token (like we did in swift server)

Using a well known hash means you can verify it was the right thing if
you have access to the original data. Just taking the first 16 bytes
doesn't give you that, so I think the hash provides slightly more
debugability.

	-Sean

-- 
Sean Dague
http://dague.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140612/3d073309/attachment.pgp>


More information about the OpenStack-dev mailing list