Hi Travis,

By and large we have addressed this in the Session code within Keystoneclient 
via the function here (and other similar cases): 
https://github.com/openstack/python-keystoneclient/blob/01cabf6bbbee8b5340295f3be5e1fa7111387e7d/keystoneclient/session.py#L126-L131

If/when Glanceclient is moved to consuming the session code, it should help 
alleviate the issues with printing the Token ID’s in the logs themselves.

Along with the changes for the session code, all tokens issued from Keystone 
(Juno and beyond) will also include audit_id fields that are safe to use in 
logging (they are part of the token data). There are two elements to the 
audit_ids field, the first (will always exist) and is the local token’s 
audit_id (audit ids are randomly generated and should be considered as globally 
unique as a UUID). The second element will exist if the token has ever been 
part of a rescope (exchange of a token for another token of a different scope, 
e.g. changing to a new project/tenant). The second audit_id is the audit_id of 
the first token in the chain (unique for the entire chain of tokens).

I don’t believe we’re exposing the audit_ids yet to the services behind the 
auth_token middleware nor using them for logging in cases such as the above 
linked logging function. I would like to eventually see the audit_ids used 
(where they exist) for logging cases like this.

I’m sure Jamie Lennox can chime in and provide a bit more insight as to the 
status of converting Glanceclient to using session as I know he’s been working 
on the client front in this regard. I hope that sometime within the K 
development cycle timeline we will be converting the logging over to audit_ids 
where possible (but that has not been 100% decided on).

Cheers,
Morgan

—
Morgan Fainberg


-----Original Message-----
From: Tripp, Travis S <travis.tr...@hp.com>
Reply: OpenStack Development Mailing List (not for usage questions) 
<openstack-dev@lists.openstack.org>>
Date: September 11, 2014 at 17:35:30
To: OpenStack Development Mailing List (not for usage questions) 
<openstack-dev@lists.openstack.org>>
Subject:  [openstack-dev] masking X-Auth-Token in debug output - proposed 
consistency

> Hi All,
>  
> I'm just helping with bug triage in Glance and we've got a bug to update how 
> tokens are redacted  
> in the glanceclient [1]. It says to update to whatever cross-project approach 
> is agreed  
> upon and references this thread:
>  
> http://lists.openstack.org/pipermail/openstack-dev/2014-June/037345.html  
>  
> I just went through the thread and as best as I can tell there wasn't a 
> conclusion in the  
> ML. However, if we are going to do anything, IMO the thread leans toward 
> {SHA1},  
> with Morgan Fainberg dissenting. However, he references a patch that was 
> ultimately  
> abandoned.
>  
> If there was a conclusion to this, please let me know so I can update and 
> work on closing  
> this bug.
>  
> [1] https://bugs.launchpad.net/python-glanceclient/+bug/1329301
>  
> Thanks,
> Travis
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>  


_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to