keystoneauth

Bug #1638978
Comment #11

Comment 11 for bug 1638978

Revision history for this message

Dinesh Bhor (dinesh-bhor) wrote on 2017-08-01:

#11

Hi all,

I have tried below approach which is similar to what Morgan has suggested.
By adding a custom filter in oslo logger and passing that logger from masakari to python-novaclient while creating it's object I am able to mask the required sensitive information in keystoneauth.

Below are the steps:

1] I have added custom PasswordMaskingFilter in oslo_log/log.py.
This filter masks the sensitive information using oslo_utils "strutils.mask_password" method.

I have added this filter to the oslo logger which we get by calling "getLogger" method of
oslo_log/log.py module.

diff --git a/oslo_log/log.py b/oslo_log/log.py
index 827a57d..16aade6 100644
--- a/oslo_log/log.py
+++ b/oslo_log/log.py
@@ -40,6 +40,7 @@ except ImportError:

from oslo_config import cfg
from oslo_utils import importutils
+from oslo_utils import strutils
import six
from six import moves

@@ -421,6 +422,17 @@ def get_loggers():
return _loggers.copy()

+class PasswordMaskingFilter(logging.Filter):
+ """Demonstrate how to filter sensitive data:"""
+
+ def filter(self, record):
+ # The call signature matches string interpolation: args can be a tuple
+ # or a lone dict
+
+ # Use oslo_utils password masking method to sanitize data
+ record.msg = strutils.mask_password(record.msg)
+ return True
+
+
def getLogger(name=None, project='unknown', version='unknown'):
"""Build a logger with the given name.

@@ -442,7 +454,9 @@ def getLogger(name=None, project='unknown', version='unknown'):
     if name and name.startswith('oslo_'):
         name = 'oslo.' + name[5:]
     if name not in _loggers:
- _loggers[name] = KeywordArgumentAdapter(logging.getLogger(name),
+ masking_logger = logging.getLogger(name)
+ masking_logger.addFilter(PasswordMaskingFilter())
+ _loggers[name] = KeywordArgumentAdapter(masking_logger,
                                                 {'project': project,
                                                  'version': version})

[2] Used this oslo_logger in masakari while creating novaclient:

diff --git a/masakari/compute/nova.py b/masakari/compute/nova.py
index 56a12c6..830c5a5 100644
--- a/masakari/compute/nova.py
+++ b/masakari/compute/nova.py
@@ -119,7 +119,8 @@ def novaclient(context, timeout=None):
                                     region_name=CONF.os_region_name,
                                     endpoint_type=endpoint_type,
                                     cacert=CONF.nova_ca_certificates_file,
- extensions=nova_extensions)
+ extensions=nova_extensions,
+ logger=LOG)

The above "LOG" variable is of oslo_logger itself.

The disadvantage of this solution is it checks every log message for certain password fields further degrading the performance.
We should pass some info in the log message indicating there is a need to mask the password fields.

Please let me know your opinion about this and also any other solution you have.

Hi all,

I have tried below approach which is similar to what Morgan has suggested. 
By adding a custom filter in oslo logger and passing that logger from masakari to python-novaclient while creating it's object I am able to mask the required sensitive information in keystoneauth.

Below are the steps:

1] I have added custom PasswordMaskingFilter in oslo_log/log.py. 
   This filter masks the sensitive information using oslo_utils "strutils.mask_password" method.

I have added this filter to the oslo logger which we get by calling "getLogger" method of 
   oslo_log/log.py module.

diff --git a/oslo_log/log.py b/oslo_log/log.py
index 827a57d..16aade6 100644
--- a/oslo_log/log.py
+++ b/oslo_log/log.py
@@ -40,6 +40,7 @@ except ImportError:

from oslo_config import cfg
 from oslo_utils import importutils
+from oslo_utils import strutils
 import six
 from six import moves

@@ -421,6 +422,17 @@ def get_loggers():
     return _loggers.copy()

+class PasswordMaskingFilter(logging.Filter):
+    """Demonstrate how to filter sensitive data:""" 
+
+    def filter(self, record):
+        # The call signature matches string interpolation: args can be a tuple
+        # or a lone dict
+		 
+        # Use oslo_utils password masking method to sanitize data
+        record.msg = strutils.mask_password(record.msg)
+        return True
+
+
 def getLogger(name=None, project='unknown', version='unknown'):
     """Build a logger with the given name.

@@ -442,7 +454,9 @@ def getLogger(name=None, project='unknown', version='unknown'):
     if name and name.startswith('oslo_'):
         name = 'oslo.' + name[5:]
     if name not in _loggers:
-        _loggers[name] = KeywordArgumentAdapter(logging.getLogger(name),
+        masking_logger = logging.getLogger(name)
+        masking_logger.addFilter(PasswordMaskingFilter())
+        _loggers[name] = KeywordArgumentAdapter(masking_logger,
                                                 {'project': project,
                                                  'version': version})
												  
												  
[2] Used this oslo_logger in masakari while creating novaclient:

diff --git a/masakari/compute/nova.py b/masakari/compute/nova.py
index 56a12c6..830c5a5 100644
--- a/masakari/compute/nova.py
+++ b/masakari/compute/nova.py
@@ -119,7 +119,8 @@ def novaclient(context, timeout=None):
                                     region_name=CONF.os_region_name,
                                     endpoint_type=endpoint_type,
                                     cacert=CONF.nova_ca_certificates_file,
-                                    extensions=nova_extensions)
+                                    extensions=nova_extensions,
+                                    logger=LOG)

The above "LOG" variable is of oslo_logger itself.

Please let me know your opinion about this and also any other solution you have.