Password logging
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
High
|
Gabriel Hurley | ||
OpenStack Identity (keystone) |
Fix Released
|
High
|
Dolph Mathews | ||
OpenStack Security Notes |
Fix Released
|
Medium
|
Abu Shohel Ahmed | ||
python-keystoneclient |
Fix Released
|
Medium
|
Brant Knudson |
Bug Description
When the log level is set to DEBUG, keystoneclient's full-request logging mechanism kicks in, exposing plaintext passwords, etc.
This bug is mostly out of the scope of Horizon, however Horizon can also be more secure in this regard. We should make sure that wherever we *are* handling sensitive data we use Django's error report filtering mechanisms so they don't appear in tracebacks, etc. (https:/
Keystone may also want to look at respecting such annotations in their logging mechanism, i.e. if Django were properly annotating these data objects, keystoneclient could check for those annotations and properly sanitize the log output.
If not this exact mechanism, then something similar would be wise.
For the time being, it's also worth documenting in both projects that a log level of DEBUG will log passwords in plain text.
description: | updated |
Changed in keystone: | |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in horizon: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | none → folsom-3 |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
milestone: | folsom-2 → 2012.2 |
Changed in keystone: | |
milestone: | folsom-3 → 2012.2 |
Changed in python-keystoneclient: | |
status: | New → Triaged |
importance: | Undecided → Medium |
tags: | added: security |
Changed in python-keystoneclient: | |
assignee: | nobody → Numero 8 (numero-8) |
Changed in python-keystoneclient: | |
assignee: | Numero 8 (numero-8) → Adam Young (ayoung) |
Changed in python-keystoneclient: | |
assignee: | Adam Young (ayoung) → Numero 8 (numero-8) |
Changed in python-keystoneclient: | |
assignee: | Numero 8 (numero-8) → nobody |
Changed in python-keystoneclient: | |
assignee: | nobody → Sergio Cazzolato (sergio-j-cazzolato) |
Changed in python-keystoneclient: | |
assignee: | Sergio Cazzolato (sergio-j-cazzolato) → nobody |
Changed in python-keystoneclient: | |
assignee: | Wei Wang (damon-devops) → David Stanek (dstanek) |
Changed in python-keystoneclient: | |
assignee: | David Stanek (dstanek) → Brant Knudson (blk-u) |
Changed in python-keystoneclient: | |
assignee: | Brant Knudson (blk-u) → Jamie Lennox (jamielennox) |
Changed in python-keystoneclient: | |
assignee: | Jamie Lennox (jamielennox) → Nathan Kinder (nkinder) |
Changed in python-keystoneclient: | |
milestone: | none → 0.10.1 |
status: | Fix Committed → Fix Released |
Changed in ossn: | |
assignee: | nobody → Abu Shohel Ahmed (shohel-csdu) |
Changed in ossn: | |
status: | New → In Progress |
Changed in python-keystoneclient: | |
milestone: | 0.10.1 → 0.11.0 |
Changed in python-keystoneclient: | |
status: | Fix Committed → Fix Released |
Fix proposed to branch: master /review. openstack. org/7773
Review: https:/