Public bug reported: The wrap_exception decorator in nova.exception uses the _cleanse_dict helper method to remove any keys from the args/kwargs list of the method that was called, but only checks those keys of the form *_pass:
http://git.openstack.org/cgit/openstack/nova/tree/nova/exception.py?id=12.0.0.0b2#n57 def _cleanse_dict(original): """Strip all admin_password, new_pass, rescue_pass keys from a dict.""" return {k: v for k, v in six.iteritems(original) if "_pass" not in k} The oslo_utils.strutils module has it's own list of keys to sanitized used in it's mask_password method: http://git.openstack.org/cgit/openstack/oslo.utils/tree/oslo_utils/strutils.py#n54 _SANITIZE_KEYS = ['adminPass', 'admin_pass', 'password', 'admin_password', 'auth_token', 'new_pass', 'auth_password', 'secret_uuid', 'sys_pswd'] The nova code should probably be using some form of the same thing that strutils is using for mask_password, which uses a regex to find hits. For example, if the arg was 'auth_token' or simply 'password', _cleanse_dict would fail to filter it out. You could also argue that the oslo.messaging log notifier should be using oslo_utils.strutils.mask_password before it logs the message - which isn't happening in that library today. ** Affects: nova Importance: Low Status: Confirmed ** Changed in: nova Status: New => Confirmed ** Changed in: nova Importance: Undecided => Low -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1487038 Title: nova.exception._cleanse_dict should use oslo_utils.strutils._SANITIZE_KEYS Status in OpenStack Compute (nova): Confirmed Bug description: The wrap_exception decorator in nova.exception uses the _cleanse_dict helper method to remove any keys from the args/kwargs list of the method that was called, but only checks those keys of the form *_pass: http://git.openstack.org/cgit/openstack/nova/tree/nova/exception.py?id=12.0.0.0b2#n57 def _cleanse_dict(original): """Strip all admin_password, new_pass, rescue_pass keys from a dict.""" return {k: v for k, v in six.iteritems(original) if "_pass" not in k} The oslo_utils.strutils module has it's own list of keys to sanitized used in it's mask_password method: http://git.openstack.org/cgit/openstack/oslo.utils/tree/oslo_utils/strutils.py#n54 _SANITIZE_KEYS = ['adminPass', 'admin_pass', 'password', 'admin_password', 'auth_token', 'new_pass', 'auth_password', 'secret_uuid', 'sys_pswd'] The nova code should probably be using some form of the same thing that strutils is using for mask_password, which uses a regex to find hits. For example, if the arg was 'auth_token' or simply 'password', _cleanse_dict would fail to filter it out. You could also argue that the oslo.messaging log notifier should be using oslo_utils.strutils.mask_password before it logs the message - which isn't happening in that library today. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1487038/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
