Comment 2 for bug 1638978

I am speaking as a member of the keystonecoresec team not as a VMT member (as Keystoneauth is not officially covered by the VMT).

We cannot add any oslo dependencies to keystoneauth. You can however pass your own logger to keystoneauth's session when making the request the does explicit masking. https://github.com/openstack/keystoneauth/blob/01e0122a14c9a61a50038df67c008455f6cffd90/keystoneauth1/session.py#L395

Oslo is explicitly banned in this project due to the volume of transient dependencies that come from the libraries. This is to ensure keystoneauth does not grow dependencies that bog down the loading / instantiation of the session objects and plugins.

As a final note, we typically do not view "debug" logs as something that needs to explicitly be sanitized (it is a nice-to have). Ideally services should not be run in debug and masking all the data at a debug level can hamper development work.

This bug can probably be marked as public / not under embargo as the bug should not be explicitly exploitable. To use the VMT taxonomy this would be a Class B3 ( https://security.openstack.org/vmt-process.html#incident-report-taxonomy ).

In an effort to follow closely to the VMT process (until Keystoneauth is under VMT management officially) this bug will remain private until further comments from keystone-coresec who has been subscribed.