Keystone ldap logs personal information

Bug #1767323 reported by Divya K Konoor on 2018-04-27
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Morgan Fainberg

Bug Description

When OpenStack /Keystone is configured with ldap, it logs personal information in debug mode. The information logged is based completely on the parameters given as input while configuring ldap. But in a production environment, LDAP generally has information about real people (natural person) and with GDPR compliance around the corner, we should be very careful about what we log. Personal information about a natural person cannot be logged , stored or transferred without the consent of the person themselves. Having said that, the information logged below is very useful while debugging OpenStack/LDAP configuration issues.

2018-04-20 09:49:10.548 19412 DEBUG keystone.identity.backends.ldap.common [req-7abe3850-9937-4867-a1a7-f92d7757ccb1 8ed02367de541e8741badb6ce097a975a9233b464e6d215dde7bac48a3f2f54a 6d6da87e2345480b93821568c958cc81 - 46f848196da64f9caaf8e5304bba870b 46f848196da64f9caaf8e5304bba870b] LDAP search: base=o=xxx_suffix scope=2 filterstr=(&(postaladdress=#56780,14thmain, ubcity, bangalore)(objectClass=posixaccount)) attrs=['cn', 'userPassword', 'enabled', 'mail', 'postaladdress', 'desc'] attrsonly=0 search_s /usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/

keystone.log:2018-04-19 04:26:04.680 72157 DEBUG keystone.identity.backends.ldap.common [req-3a092189-a85a-40da-8ffe-88bec3d430d8 d61bbf804a64cdc47df20632987500c868562fe0627fc9c49
7ca4494f96adcd8 9ea574babbca4cd5a5e336017aec1867 - fa87845eedd847708aa71d51ef84aea6 fa87845eedd847708aa71d51ef84aea6] LDAP search: base=cn=Users,dc=finktest,dc=org scope=2 filters
tr=(&(<email address hidden>)(objectClass=user)) attrs=['description', 'userPassword', 'enabled', 'userPrincipalName', 'mail', 'cn'] attrsonly=0 search_s /usr/lib/py

description: updated
Lance Bragstad (lbragstad) wrote :

We usually don't recommend using DEBUG logging in production systems for this reason.

But, one possible approach is to provide a configuration option for ldap that let's deployers set a list of ldap attributes to *not* log. Deployers will need to know which attributes are considered sensitive according to laws and restrictions in order to configure keystone properly and before debug logging is enabled. This approach was discussed in IRC [0].


Changed in keystone:
importance: Undecided → Medium
status: New → Triaged
tags: added: ldap
Changed in keystone:
milestone: none → rocky-3
assignee: nobody → Morgan Fainberg (mdrnstm)
Changed in keystone:
milestone: rocky-3 → rocky-rc1
Changed in keystone:
importance: Medium → Low
Changed in keystone:
milestone: rocky-rc1 → none
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers