Running an openstackclient command with --debug or -vv unexpectedly outputs the password in plaintext, multiple times. This is going to cause people to pastebin their user credentials while using openstack client.
The password is logged in plain text in 3 locations:
1.) Under options: (second line of output)
2.) Under defaults: (third line of output)
3.) Under the Using paramters {'username': '<username>'. 'tenant_name': '<tenantname>', 'password': '<password>
I believe that all output from the tool should have sensitive information scrubbed from the output.
Specific output as an example:
$ openstack -vv availability zone list
START with options: ['-vv', 'availability', 'zone', 'list']
options: Namespace(access_token_endpoint='', auth_type='', auth_url='https://openstack-dev.int.godaddy.com:35357/v2.0/', cacert='', client_id='', client_secret='', cloud='', debug=False, default_domain='default', deferred_help=False, domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='', log_file=None, os_compute_api_version='', os_data_processing_api_version='1.1', os_dns_api_version='', os_identity_api_version='', os_image_api_version='', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_queues_api_version='1.1', os_volume_api_version='', password=mypasswordinplaintext, project_domain_id='', project_domain_name='', project_id='', project_name='openstack', protocol='', region_name='', scope='', service_provider_endpoint='', timing=False, token='', trust_id='', url='', user_domain_id='', user_domain_name='', user_id='', username='myusername', verbose_level=3, verify=None)
defaults: {'auth_type': 'password', 'compute_api_version': '2', 'database_api_version': '1.0', 'api_timeout': None, 'baremetal_api_version': '1', 'interface': None, 'image_api_use_tasks': False, 'endpoint_type': 'public', 'floating_ip_source': 'neutron', 'key': None, 'cacert': None, 'network_api_version': '2', 'object_api_version': '1', 'image_api_version': '1', 'verify': True, 'identity_api_version': '2', 'volume_api_version': '1', 'cert': None, 'secgroup_source': 'neutron', 'disable_vendor_agent': {}}
cloud cfg: {'auth_type': 'password', 'compute_api_version': '2', 'database_api_version': '1.0', 'data_processing_api_version': '1.1', 'network_api_version': '2', 'object_api_version': '1', 'queues_api_version': '1.1', 'verify': True, 'timing': False, 'verbose_level': 3, 'region_name': '', 'api_timeout': None, 'baremetal_api_version': '1', 'image_api_version': '1', 'auth': {'username': 'myusername', 'tenant_name': 'openstack', 'project_name': 'openstack', 'password': mypasswordinplaintext, 'auth_url': 'https://openstack-dev.int.godaddy.com:35357/v2.0/'}, 'default_domain': 'default', 'image_api_use_tasks': False, 'endpoint_type': 'public', 'floating_ip_source': 'neutron', 'key': None, 'interface': None, 'cacert': None, 'deferred_help': False, 'identity_api_version': '2', 'volume_api_version': '1', 'cert': None, 'secgroup_source': 'neutron', 'debug': False, 'disable_vendor_agent': {}}
compute API version 2, cmd group openstack.compute.v2
network API version 2, cmd group openstack.network.v2
image API version 1, cmd group openstack.image.v1
volume API version 1, cmd group openstack.volume.v1
identity API version 2, cmd group openstack.identity.v2
object_store API version 1, cmd group openstack.object_store.v1
dns API version 2, cmd group openstack.dns.v2
data_processing API version 1.1, cmd group openstack.data_processing.v1
messaging API version 1.1, cmd group openstack.messaging.v1
command: availability zone list -> openstackclient.compute.v2.availability_zone.ListAvailabilityZone
Auth plugin password selected
auth_type: password
Using auth plugin: password
Using parameters {'username': 'myusername', 'tenant_name': 'openstack', 'password': mypasswordinplaintext, 'project_name': 'openstack', 'auth_url': 'https://openstack-dev.int.godaddy.com:35357/v2.0/'}
Get auth_ref
REQ: curl -g -i -X GET https://openstack-dev.int.godaddy.com:35357/v2.0/ -H "Accept: application/json" -H "User-Agent: python-openstackclient"
RESP: [200] Vary: X-Auth-Token Content-Type: application/json Content-Length: 357 x-openstack-request-id: req-feeb6ea9-7936-4428-9628-ee15fd6b831a Connection: close
RESP BODY: {"version": {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "https://openstack-dev.int.godaddy.com:35357/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}}
Making authentication request to https://openstack-dev.int.godaddy.com:35357/v2.0/tokens
take_action(Namespace(columns=[], formatter='table', long=False, max_width=0, noindent=False, quote_mode='nonnumeric'))
Instantiating compute client for VAPI Version Major: 2, Minor: 0
Making authentication request to https://openstack-dev.int.godaddy.com:35357/v2.0/tokens
REQ: curl -g -i -X GET https://openstack-dev.int.godaddy.com:8774/v2/f48e57277a7a484290ba9afdc49a21a9/os-availability-zone/detail -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}20ca58f7998139291b7cb394503f0cf8e820e38b"
RESP: [200] Content-Type: application/json Content-Length: 200 x-compute-request-id: req-869f2d60-6d4d-499d-8deb-6f2c7ae319d4
RESP BODY: {"availabilityZoneInfo": [{"zoneState": {"available": true}, "hosts": null, "zoneName": "glbt1-dev-lab-zone-1"}, {"zoneState": {"available": true}, "hosts": null, "zoneName": "glbt1-dev-lab-zone-2"}]}
+----------------------+-------------+
| Zone Name | Zone Status |
+----------------------+-------------+
| glbt1-dev-lab-zone-1 | available |
| glbt1-dev-lab-zone-2 | available |
+----------------------+-------------+
clean_up ListAvailabilityZone:
END return value: 0
What version are you using?