Comment 0 for bug 1465922

Le Tian Ren (gpanda+) wrote :

grep CLEARTEXTPASSWORD keystone.log

2015-06-16 06:44:39.770 20986 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:create_user(user={u'domain_id': u'default', u'password': u'CLEARTEXTPASSWORD', u'enabled': True, u'default_project_id': u'0175b43419064ae38c4b74006baaeb8d', u'name': u'DermotJ'}) _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:57

Issue code: https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L57

    LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
        'action': action,
        'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})

Shadow the values of sensitive fields like 'password' by some meaningless garbled text like "XXXXX" is one way to fix.

Well, in addition to this, I think we should never pass the 'password' with its original value along the code and save in any persistence, instead we should convert it to a strong hash value as early as possible. With the help of a good hash system, we never have to need the original value of the password, right?