I tried this with the keystone command and passwords and tokens are still being printed.
$ keystone --debug user-list DEBUG:keystoneclient.session:REQ: curl -i -X POST http://localhost:5000/v2.0/tokens -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -d '{"auth": {"tenantName": "demo", "passwordCredentials": {"username": "admin", "password": "mypassword"}}}' ... RESP BODY: {"access": {"token": {"issued_at": "2014-07-28T19:08:05.637184", "expires": "2014-07-28T20:08:05Z", "id": "PKIZ_<LONG-TOKEN-IN-CLEAR>", ... ... DEBUG:keystoneclient.session:REQ: curl -i -X GET http://192.168.122.176:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: PKIZ_<LONG-TOKEN-IN-CLEAR>" ** Changed in: python-keystoneclient Status: Fix Released => Confirmed -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1004114 Title: Password logging Status in OpenStack Dashboard (Horizon): Fix Released Status in OpenStack Identity (Keystone): Fix Released Status in OpenStack Security Notes: New Status in Python client library for Keystone: Confirmed Bug description: When the log level is set to DEBUG, keystoneclient's full-request logging mechanism kicks in, exposing plaintext passwords, etc. This bug is mostly out of the scope of Horizon, however Horizon can also be more secure in this regard. We should make sure that wherever we *are* handling sensitive data we use Django's error report filtering mechanisms so they don't appear in tracebacks, etc. (https://docs.djangoproject.com/en/dev/howto/error-reporting /#filtering-error-reports) Keystone may also want to look at respecting such annotations in their logging mechanism, i.e. if Django were properly annotating these data objects, keystoneclient could check for those annotations and properly sanitize the log output. If not this exact mechanism, then something similar would be wise. For the time being, it's also worth documenting in both projects that a log level of DEBUG will log passwords in plain text. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1004114/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
