Comment 2 for bug 1571714

Okay, I think this should do it. If it looks good I'll submit a review to oslo.log to get this fixed.

diff --git a/oslo_log/formatters.py b/oslo_log/formatters.py
index 2545035..57e278e 100644
--- a/oslo_log/formatters.py
+++ b/oslo_log/formatters.py
@@ -28,6 +28,7 @@ from six import moves
 from oslo_context import context as context_utils
 from oslo_serialization import jsonutils
 from oslo_utils import encodeutils
+from oslo_utils import strutils

 if six.PY3:
     from functools import reduce
@@ -206,11 +207,16 @@ class JSONFormatter(logging.Formatter):
         return lines

     def format(self, record):
+ args = record.args
+ # If we were passed a dict object then we should attempt to mask any
+ # sensitive data.
+ if isinstance(args, dict):
+ args = strutils.mask_dict_password(dict(args))
         message = {'message': record.getMessage(),
                    'asctime': self.formatTime(record, self.datefmt),
                    'name': record.name,
                    'msg': record.msg,
- 'args': record.args,
+ 'args': args,
                    'levelname': record.levelname,
                    'levelno': record.levelno,
                    'pathname': record.pathname,
diff --git a/oslo_log/tests/unit/test_log.py b/oslo_log/tests/unit/test_log.py
index 7878525..b0ec22c 100644
--- a/oslo_log/tests/unit/test_log.py
+++ b/oslo_log/tests/unit/test_log.py
@@ -591,6 +591,11 @@ class JSONFormatterTestCase(LogTestBase):
         # convert it using repr() to prevent serialization error on logging.
         self.assertEqual(['repr'], data['args'])

+ def test_passwords_masked(self):
+ self.log.info('Test message', {'password': 'maskme'})
+ data = jsonutils.loads(self.stream.getvalue())
+ self.assertEqual('***', data['args']['password'])
+

 def get_fake_datetime(retval):
     class FakeDateTime(datetime.datetime):