1) Carry a copy of mask_password() method to keystoneauth from oslo_utils [1]:
Pros:
A. keystoneauth will use already tested and used version of mask_password.
Cons:
A. keystoneauth will have to keep the version of mask_password() method sync with
oslo_utils version. If there are any new "_SANITIZE_KEYS" added to oslo_utils
mask_password then those should be added in keystoneauth mask_password also.
B. Copying the "mask_password" will also require to copy its supporting code [2]
which is huge.
2) Use Oslo.utils mask_password() method in keystoneauth:
Pros:
A) No synching issue as described in solution #1. keystoneauth will directly use
mask_password() method from Oslo.utils.
Cons:
A) You will need oslo.utils library to use keystoneauth.
Objection by community:
- keystoneauth community don't want any dependency on any of OpenStack common oslo
libraries.
Please refer to the comment from Morgan: https://bugs.launchpad.net/keystoneauth/+bug/1700751/comments/3
OpenStack core services using any OpenStack individual python-*client (for e.g
python-cinderclient used in nova service) will need to pass oslo_logger object
during its initialization which will do the work of masking sensitive information.
Pros:
A) No changes required in oslo.logger or any OpenStack services if mask_password
method is modified in oslo.utils.
Cons:
A) Every log message will be scanned for certain password fields degrading the performance.
B) If consumer of keystoneauth doesn’t use oslo_logger, then the sensitive information
will not be masked.
C) Will need to make changes wherever applicable to the OpenStack core services to pass
oslo.logger object during python-novaclient initialization.
4] Add mask_password formatter parameter in oslo_log:
Add "mask_password" formatter to sanitize sensitive data and pass it as a keyword argument
to the log statement. If the mask_password is set, then only the sensitive information
will be masked at the time of logging.
The log statement will look like below:
logger.debug("'adminPass': 'Now you see me'"), mask_password=True)
Pros:
A) No changes required in oslo.logger or any OpenStack services if mask_password method is
modified in oslo.utils.
Cons:
A) If consumer of keystoneauth doesn’t use oslo_logger, then the sensitive information
will not be masked.
B) If you forget to pass mask_password=True for logging messages where sensitive information
is present, then those fields won't be masked with ***. But this can be clearly documented
as suggested by Morgan and Lance.
C) This solution requires you to add a below check in keystoneauth to avoid from an
exception being raised in case logger is pure python Logger as it doesn’t accept
mask_password keyword argument.
if isinstance(logger, logging.Logger):
logger.debug(' '.join(string_parts))
else:
logger.debug(' '.join(string_parts), mask_password=True)
This check assumes that the logger instance will be oslo_log only if it is not of python
default logging.Logger. Keystoneauth community is not ready to have any dependency on
any oslo-* lib, so it seems this solution has low acceptance chances.
Please let me know your opinions about the above four approaches. Which one should we adopt?
Hi All,
There are four solutions to fix this issue:
1) Carry a copy of mask_password() method to keystoneauth from oslo_utils [1]:
Pros:
A. keystoneauth will use already tested and used version of mask_password.
Cons:
A. keystoneauth will have to keep the version of mask_password() method sync with
oslo_utils version. If there are any new "_SANITIZE_KEYS" added to oslo_utils
mask_password then those should be added in keystoneauth mask_password also.
B. Copying the "mask_password" will also require to copy its supporting code [2]
which is huge.
2) Use Oslo.utils mask_password() method in keystoneauth:
Pros:
A) No synching issue as described in solution #1. keystoneauth will directly use
mask_password() method from Oslo.utils.
Cons: /bugs.launchpad .net/keystoneau th/+bug/ 1700751/ comments/ 3
A) You will need oslo.utils library to use keystoneauth.
Objection by community:
- keystoneauth community don't want any dependency on any of OpenStack common oslo
libraries.
Please refer to the comment from Morgan:
https:/
3] Add a custom logging filter in oslo logger paste.openstack .org/show/ 617093/
Please refer to POC sample here: http://
OpenStack core services using any OpenStack individual python-*client (for e.g
python-cinderclient used in nova service) will need to pass oslo_logger object
during its initialization which will do the work of masking sensitive information.
Note: In nova, oslo.logger object is not passed during cinderclient initialization (https:/ /github. com/openstack/ nova/blob/ master/ nova/volume/ cinder. py#L135- L141),
In this case, sensitive information will not be masked as it isn’t using Oslo.logger.
Pros:
A) No changes required in oslo.logger or any OpenStack services if mask_password
method is modified in oslo.utils.
Cons:
A) Every log message will be scanned for certain password fields degrading the performance.
B) If consumer of keystoneauth doesn’t use oslo_logger, then the sensitive information
will not be masked.
C) Will need to make changes wherever applicable to the OpenStack core services to pass
oslo.logger object during python-novaclient initialization.
4] Add mask_password formatter parameter in oslo_log:
Add "mask_password" formatter to sanitize sensitive data and pass it as a keyword argument
to the log statement. If the mask_password is set, then only the sensitive information
will be masked at the time of logging.
The log statement will look like below:
logger. debug(" 'adminPass' : 'Now you see me'"), mask_password=True)
Please refer to the POC code here: http:// paste.openstack .org/show/ 618019/
Pros:
A) No changes required in oslo.logger or any OpenStack services if mask_password method is
modified in oslo.utils.
Cons:
A) If consumer of keystoneauth doesn’t use oslo_logger, then the sensitive information
will not be masked.
B) If you forget to pass mask_password=True for logging messages where sensitive information
is present, then those fields won't be masked with ***. But this can be clearly documented
as suggested by Morgan and Lance.
C) This solution requires you to add a below check in keystoneauth to avoid from an
exception being raised in case logger is pure python Logger as it doesn’t accept
mask_password keyword argument.
if isinstance(logger, logging.Logger): string_ parts)) string_ parts), mask_password=True)
logger.debug(' '.join(
else:
logger.debug(' '.join(
This check assumes that the logger instance will be oslo_log only if it is not of python
default logging.Logger. Keystoneauth community is not ready to have any dependency on
any oslo-* lib, so it seems this solution has low acceptance chances.
Please let me know your opinions about the above four approaches. Which one should we adopt?
[1] https:/ /github. com/openstack/ oslo.utils/ blob/master/ oslo_utils/ strutils. py#L248- L313 /github. com/openstack/ oslo.utils/ blob/6e04f882c4 308ff64fa199d1b 127ad225e0a30c4 /oslo_utils/ strutils. py#L56- L96
[2] https:/