Open Stack

Reviewed:  https://review.openstack.org/56059
Committed: http://github.com/openstack/nova/commit/138f24dea3b1fa34a39eaa0e937b19657b287ccc
Submitter: Jenkins
Branch:    master

commit 138f24dea3b1fa34a39eaa0e937b19657b287ccc
Author: Lance Bragstad <ldbragst at us.ibm.com>
Date:   Thu Nov 14 15:40:05 2013 +0000

    Sync log.py from Oslo-incubator
    
    This change syncs log.py and it's dependencies from Oslo-incubator to
    include the password sanitation fix that landed in Oslo with commit
    76b0cd10c414ae71e6f041adb431460b3337c63d.
    
    The following is a list of the change IDs that this
    commit is bringing in from the last sync of Oslo-incubator with
    respect to the files we are touching.
    
    2b40a10 python3: Fix UserString import
    c331e74 Enable multiple translation domains for gettextutils
    89369c3 gettextutils: port to Python 3
    6d49bca Translate all substitution elements of a Message object
    3970d46 Fix typos in oslo
    88db9c8 When translating if no locale is given use default locale
    53ebd30 python3: use six.text_types for unicode()
    25c5854 Adds admin_password as key to be sanitized when logging
    2251cb5 Do not name variables as builtins
    04c1b5a Type check for Message param to avoid AttributeError
    
    Change-Id: Ie4d5929604e3fc057ea09edbbf3adf16f8839a4e
    Partial-Bug: #1247217


** Changed in: nova
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1247217

Title:
  Sanitize passwords when logging payload in wsgi for API Extensions

Status in OpenStack Compute (Nova):
  Fix Committed
Status in Oslo - a Library of Common OpenStack Code:
  In Progress

Bug description:
  The fix for bug 1231263 ( https://bugs.launchpad.net/nova/+bug/1231263
  ) addressed not logging the clear-text password in the nova wsgi.py
  module for the adminPass attribute for the Server Change Password REST
  API, but this only addressed that specific attribute.  Since Nova has
  support for the ability to add REST API Extensions (in the contrib
  directory), there could any number of other password-related
  attributes in the request/response body for those additional
  extensions.

  Although it would not be possible to know all of the various sensitive
  attributes that these API's would pass in the request/response (the
  only way to totally eliminate the exposure would be to not log the
  request/response which is useful for debugging), I would like to
  propose a change similar to the one that was made in keystone (under
  https://bugs.launchpad.net/keystone/+bug/1166697) to mask the password
  in the log statement for any attribute that contains the "password"
  sub-string in it.

  The change would in essence be to update the _SANITIZE_KEYS /
  _SANITIZE_PATTERNS lists in the nova/api/openstack/wsgi.py module to
  include a pattern for the "password" sub-string.

  Also, for a slight performance benefit, it may be useful to put a
  check in to see if debug logging level is enabled around the debug
  statement that does the sanitize call (since the request/response
  bodies could be fairly large and wouldn't want to take the hit to do
  the pattern matches if debug isn't on).

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1247217/+subscriptions