OpenStack Dashboard (Horizon)

Secure Site Recommendations does not discuss LOGGING settings

Bug #1333440 reported by Matt Fischer
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
Medium
Unassigned

Bug Description

The Secure Site Recommendations (http://docs.openstack.org/developer/horizon/topics/deployment.html#secure-site-recommendations) does not mention anything about the LOGGING section. One specific issue that should be covered is that if you ship the example config file, it will log the keystone requests as DEBUG and that will log plaintext passwords. This is very dangerous.

Revision history for this message
Julie Pichon (jpichon) wrote :

Currently this is mentioned in http://docs.openstack.org/developer/horizon/topics/deployment.html#logging on the same page , but I agree the Keystone client logging passwords in plain text is a big issue (if you want to add your thoughts about this on bug 1004114 feel free to, as the Keystone client patch to fix this is currently abandoned). I think it would be good to change our default LOGGING dictionary to set the keystone client logger to INFO by default.

Changed in horizon:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Matt Fischer (mfisch) wrote :

Let's change the default to Info and perhaps also the example too? I know that when people write things like puppet modules they rely on the example file to form a basis for the template and I just started a fix to modify the Puppet default to Info as well.

I'll also bring this up to the keystone team.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/102969

Changed in horizon:
assignee: nobody → Susan Tan (susan-tan-fleckerl)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on horizon (master)

Change abandoned by David Lyle (<email address hidden>) on branch: master
Review: https://review.openstack.org/102969
Reason: No updates since June. If this is still being worked on restore the review and rebase.

Matthias Runge (mrunge)
Changed in horizon:
status: In Progress → Confirmed
Annapoornima Koppad (annakoppad)
Changed in horizon:
assignee: Susan Tan (susan-tan-fleckerl) → Annapoornima Koppad (annakoppad)
Revision history for this message
Akihiro Motoki (amotoki) wrote :

As of 2021, keystoneauth1 is used to communicate back-end services. keystoneauth1 handles the underlying http connections and is in charge of DEBUG logging. It no longer records credentials like user password. token ID is still logged but token is ephemeral so I think this issue has been addressed.

Changed in horizon:
assignee: Annapoornima Koppad (annakoppad) → nobody
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.