Comment 4 for bug 1050288

I'd suggest marking this as public (and/or dupe), as this is already documented pretty clearly in the default etc/keystone.conf.sample as a result of bug 1004114:

    # Print more verbose output
    # (includes plaintext request logging, potentially including passwords)
    # debug = False

See: https://github.com/openstack/keystone/commit/0abf6ba2