nova.exception._cleanse_dict should use oslo_utils.strutils._SANITIZE_KEYS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
In Progress
|
Low
|
Unassigned | ||
oslo.messaging |
Fix Released
|
Medium
|
Ryan Rossiter |
Bug Description
The wrap_exception decorator in nova.exception uses the _cleanse_dict helper method to remove any keys from the args/kwargs list of the method that was called, but only checks those keys of the form *_pass:
http://
def _cleanse_
"""Strip all admin_password, new_pass, rescue_pass keys from a dict."""
return {k: v for k, v in six.iteritems(
The oslo_utils.strutils module has it's own list of keys to sanitized used in it's mask_password method:
http://
_SANITIZE_KEYS = ['adminPass', 'admin_pass', 'password', 'admin_password',
The nova code should probably be using some form of the same thing that strutils is using for mask_password, which uses a regex to find hits. For example, if the arg was 'auth_token' or simply 'password', _cleanse_dict would fail to filter it out.
You could also argue that the oslo.messaging log notifier should be using oslo_utils.
Changed in nova: | |
status: | New → Confirmed |
importance: | Undecided → Low |
Changed in oslo.messaging: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in oslo.messaging: | |
milestone: | none → 2.4.0 |
status: | Fix Committed → Fix Released |
Changed in nova: | |
assignee: | nobody → Sivasathurappan Radhakrishnan (siva-radhakrishnan) |
tags: | added: notifications |
tags: | added: low-hanging-fruit |
Changed in nova: | |
assignee: | nobody → Hesam Chobanlou (hesamchobanlou) |
Changed in nova: | |
status: | Confirmed → In Progress |
Changed in nova: | |
assignee: | Hesam Chobanlou (hesamchobanlou) → nobody |
Do we want to maintain the current functionality of _cleanse_dict() that removes the keys, or do we want to move closer to strutils and have it leave the keys, but mask the values?