Discuss Fix for Bug #2003179
Gorka Eguileor
geguileo at redhat.com
Mon May 22 16:16:19 UTC 2023
On 16/05, Sean Mooney wrote:
> i would proably fix thei the way we did in nova
>
> we instaled a log filter that prevents the preives deams logs at debug level form being logged.
>
> https://github.com/openstack/nova/blob/master/nova/config.py#L78-L80
> https://github.com/openstack/nova/commit/86a8aac0d76fa149b5e43c73b31227fbcf427278
>
> cinder should also insatll a log filter to only log privsep log at info by default
Hi,
Thanks Sean for the suggestion, unfortunately we won't be going that
route in os-brick for the time being, because those changes in Nova were
the reasons why I had to add a feature to privsep [1] and os-brick [2].
Without nova logging privsep calls we were literally blind to know what
was happening on attach and detach operations in the os-brick code, even
with DEBUG log levels enabled in Nova using the `debug=true` config
option.
The workaround was to modify the log levels in the nova config
explicitly, which no customer had to do before, so I had to write a KCS
article explaining it [3].
For the record, this issue of the displayed password is also going to
happen in later Nova releases now that we have separated os-brick and
nova privsep logging levels.
I think Eric has a very good suggestion [4] that should be easy to
implement.
Cheers,
Gorka.
[1]: https://review.opendev.org/c/openstack/oslo.privsep/+/784098
[2]: https://review.opendev.org/c/openstack/os-brick/+/871835
[3]: https://access.redhat.com/articles/5906971
[4]: https://bugs.launchpad.net/cinder/+bug/2003179/comments/7
>
>
>
> On Tue, 2023-05-16 at 15:11 +0000, Saad, Tony wrote:
> > Hello,
> >
> > I am reaching out to start a discussion about Bug #2003179 https://bugs.launchpad.net/cinder/+bug/2003179
> >
> > The password is getting leaked in plain text from https://opendev.org/openstack/oslo.privsep/src/commit/9c026804de74ae23a60ab3c9565d0c689b2b4579/oslo_privsep/daemon.py#L501. This logger line does not always contain a password so using mask_password() and mask_dict_password() from https://docs.openstack.org/oslo.utils/latest/reference/strutils.html is probably not the best solution.
> > Anyone have any thoughts on how to stop the password from appearing in plain text?
> >
> > Thanks,
> > Tony
> >
> >
> > Internal Use - Confidential
>
>
More information about the openstack-discuss
mailing list