mask keystone token in debug output
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openstack-manuals |
Fix Released
|
High
|
Tom Fifield |
Bug Description
https:/
commit 40d814b02e3fcb5
Author: Sean Dague <email address hidden>
Date: Mon Jun 9 10:20:31 2014 -0400
mask keystone token in debug output
replaying the keystone token in debug output is both completely
burdensome to read (given it's unbounded size), but it's also
potentially a security issue given that it could be used in replay
attacks.
Instead, filter the headers to sha1 sensitive things, with X-Auth-Token
being the only one listed so far. The sha1 will at least give us the
understanding of tokens being the same or different (and an administrator
could use that to figure out if they were valid later).
This also removes some extra '\n' that were being injected into the
debug logs, because they were not helping with readability.
Lastly, actually test logging. This introduces the first tests of the
logging path using the logging fixture. It's pretty basic, but does
verify that requests are logged at debug, that the SHA1 format works,
and that headers which are not listed get shown straight through.
DocImpact because this changes the curl dumped strings which people
may have been using. They can still do that as long as they generate
their own keystone token.
Change-Id: I1edb94785705c3
Changed in openstack-manuals: | |
milestone: | none → juno |
importance: | Undecided → Medium |
status: | New → Confirmed |
importance: | Medium → High |
Fixed by adding a ReleaseNote:
Debug log output in python-novaclient has changed slightly to improve readability. The sha1 hash of the keystone token is now printed instead of the token itself - greatly shortening the amount of content being printed while still retaining the ability to determine token mismatch scenarios. In addition, some extra '\n' characters that were being added are removed. Double-check any log parsers!