[openstack-dev] [oslo.utils] allow strutils.mask_password to mask keys dynamically

Doug Hellmann doug at doughellmann.com
Fri Mar 20 16:43:11 UTC 2015

Excerpts from Matthew Van Dijk's message of 2015-03-20 15:06:08 +0000:
> I’ve come across a use case for allowing dynamic keys to be made
> secret. The hardcoded list is good for common keys, but there will be
> cases where masking a custom value is useful without having to add it
> to the hardcoded list.

Can you be more specific about what that case is?

My concern with making some keys optional is that we'll have different
security behavior in different apps, because some will mask values
that are not masked in other places. Part of the point of centralizing
behaviors like this is to keep them consistent across all of the

> I propose we add an optional parameter that is a list of secret_keys
> whose values will be masked.
> There is concern that this will lead to differing levels of security.
> But I disagree as either the message will be masked before passing on
> or mask_password will be called. In this case the developer should be
> aware of the incoming data and manually mask it.
> Keeping with a hardcoded list discourages use of the function.

More information about the OpenStack-dev mailing list