[Openstack-security] [Bug 1004114] Re: Password logging
Dolph Mathews
1004114 at bugs.launchpad.net
Tue Jul 29 15:46:58 UTC 2014
Can we just remove the curl examples? I don't understand their utility
if they're not valid.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1004114
Title:
Password logging
Status in OpenStack Dashboard (Horizon):
Fix Released
Status in OpenStack Identity (Keystone):
Fix Released
Status in OpenStack Security Notes:
New
Status in Python client library for Keystone:
In Progress
Bug description:
When the log level is set to DEBUG, keystoneclient's full-request
logging mechanism kicks in, exposing plaintext passwords, etc.
This bug is mostly out of the scope of Horizon, however Horizon can
also be more secure in this regard. We should make sure that wherever
we *are* handling sensitive data we use Django's error report
filtering mechanisms so they don't appear in tracebacks, etc.
(https://docs.djangoproject.com/en/dev/howto/error-reporting
/#filtering-error-reports)
Keystone may also want to look at respecting such annotations in their
logging mechanism, i.e. if Django were properly annotating these data
objects, keystoneclient could check for those annotations and properly
sanitize the log output.
If not this exact mechanism, then something similar would be wise.
For the time being, it's also worth documenting in both projects that
a log level of DEBUG will log passwords in plain text.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1004114/+subscriptions
More information about the Openstack-security
mailing list