python-keystoneclient

Password is visible in the log file

Bug #1185514 reported by Lin Hua Cheng on 2013-05-29

This bug report is a duplicate of: Bug #1004114: Password logging. Edit Remove

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	python-keystoneclient	New	Undecided	Unassigned

Bug Description

Using Horizon, I turned on the DEBUG flag for python-keystoneclient. I noticed that the password are logged in plain text.

Output from the log file:

REQ : curl -i http://127.0.0.1:5000/v3/auth/tokens -X POST -H "Content-Type: application/json" -H "User-Agent: python-keystoneclient"
REQ BODY: {"auth": {"identity": {"methods": ["password"], "password": {"user": {"domain": {"name": "Default"}, "name": "admin", "password": "123456"}}}}}

Keystone-client should mask or hide the password value.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2013-05-29:

Since this is already documented behavior ( http://docs.openstack.org/developer/horizon/topics/deployment.html ), I'm marking the bug public. I couldn't quite tell whether it's best marked a duplicate of bug 1004114, or whether it merits separate treatment (a la bug 1104313 and bug 1172195).

information type:

Private Security → Public Security

Revision history for this message

Dolph Mathews (dolph) wrote on 2013-05-29:

Added python-keystoneclient as being impacted by bug 1004114

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicate of bug #1004114 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.