[jira] [Commented] (CLOUDSTACK-6213) Add new field to API @Parameter indicating if the param should be skipped from logs

Sun, 13 Apr 2014 22:04:09 -0700 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-6213?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13968083#comment-13968083
 ] 

Mandar Barve commented on CLOUDSTACK-6213:
------------------------------------------

This solution for which I have posted a pilot patch has following potential 
drawbacks:

1. For a sensitive API we need to load all "Param/Parameter" annotations 
iteratively. This can be time consuming.
2. We also have to iterate multiple times in the cleanString utility function 
ensuring every identified sensitive keyword is stripped.
3. This adds multiple iterations in the code path for stripping sensitive data.

Other potential solution to think about could be:
1. Augment the list of "hard coded" keywords with what we know as the 
additional sensitive keywords (by carefully going through various response key 
words, which will be required either ways). Hopefully this won't come out to be 
too big a list.
2. Device a scheme of tagging sensitive API request/response parameters with a 
well known prefix or a suffix. The filter REGEX can be augmented further to 
look for such sub strings. This can remove the need for iterative code.


> Add new field to API @Parameter indicating if the param should be skipped 
> from logs
> -----------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-6213
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6213
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>    Affects Versions: 4.4.0
>            Reporter: Alena Prokharchyk
>            Assignee: Mandar Barve
>             Fix For: Future
>
>
> There are 2 parameters in @Apicommand:
> requestHasSensitiveInfo
> responseHasSensitiveInfo
> If set to true, the command will go through validation and certain parameters 
> will be skipped from logging. Today these parameters are hardcoded. We have 
> to introduce a generic way of marking this parameters as "excluded from 
> logging". New field should be added to @Parameter for this purpose.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to