Mask keystone token in debug output
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openstack-manuals |
Invalid
|
Medium
|
Unassigned |
Bug Description
https:/
commit a7af1e280db7299
Author: Davanum Srinivas <email address hidden>
Date: Sat Sep 20 23:57:36 2014 -0400
Mask keystone token in debug output
replaying the keystone token in debug output is both completely
burdensome to read (given it's unbounded size), but it's also
potentially a security issue given that it could be used in replay
attacks.
Instead, filter the headers to sha1 sensitive things, with X-Auth-Token
being the only one listed so far. The sha1 will at least give us the
understanding of tokens being the same or different (and an administrator
could use that to figure out if they were valid later).
This also removes some extra '\n' that were being injected into the
debug logs, because they were not helping with readability.
Lastly, actually test logging. This introduces the first tests of the
logging path using the logging fixture. It's pretty basic, but does
verify that requests are logged at debug, that the SHA1 format works,
and that headers which are not listed get shown straight through.
DocImpact because this changes the curl dumped strings which people
may have been using. They can still do that as long as they generate
their own keystone token.
Ported from original change id:
I1edb947857
Change-Id: Ie074e44bffac5e
Changed in openstack-manuals: | |
status: | Incomplete → Confirmed |
importance: | Undecided → Medium |
Dims, can you say which CLIs this affects? That'll help us triage this doc bug.