On Wed, Nov 18, 2015 at 9:48 AM, Ruby Loo <[email protected]> wrote:
> Hi, > > I think we all agree that it isn't OK to log credentials (like passwords) > in DEBUG logs. However, what about other information that might be > sensitive? A patch was recently submitted to log (in debug) the SWIFT > temporary URL [1]. I agree that it would be useful for debugging, but since > that temporary URL could be used (by someone that has access to the logs > but no admin access to ironic/glance) eg for fetching private images, is it > OK? > > Even though we say that debug shouldn't be used in production, we can't > enforce what folks choose to do. And we know of at least one company that > runs their production environment with the debug setting. Which isn't to > say we shouldn't put things in debug, but I think it would be useful to > have some guidelines as to what we can safely expose or not. > > I took a quick look at the security web page [2] but nothing jumped out at > me wrt this issue. > > Thoughts? > > --ruby > > [1] https://review.openstack.org/#/c/243141/ > [2] https://security.openstack.org > > In this context, the URL is a time-limited access code being used in place of a password or keystone auth token to allow an unprivileged client temporary access to a specific privileged resource, without granting that client access to any other resources. In some cases, that resource might be a public Glance image and so one might say, "oh, it's not _that_ sensitive". However, the same module being affected by [1] is also used by the iLO driver to upload a temporary image containing sensitive instance-specific data. I agree that it's not the same risk as exposing a password, but I still consider this an access token, and therefore don't think it should be written to log files, even at DEBUG. -Deva
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
