Public bug reported: When OpenStack /Keystone is configured with ldap, it logs personal information in debug mode. The information logged is based completely on the parameters given as input while configuring ldap. But in a production environment, LDAP generally has information about real people (natural person) and with GDPR compliance around the corner, we should be very careful about what we log. Personal information about a natural person cannot be logged , stored or transferred without the consent of the person themselves. Having said that, the information logged below is very useful while debugging OpenStack/LDAP configuration issues.
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L920 2018-04-20 09:49:10.548 19412 DEBUG keystone.identity.backends.ldap.common [req- 7abe3850-9937-4867-a1a7-f92d7757ccb1 8ed02367de541e8741badb6ce097a975a9233b464e6d215dde7bac48a3f2f54a 6d6da87e2345480b93821568c958cc81 - 46f848196da64f9caaf8e5304bba870b 46f848196da64f9caaf8e5304bba870b] LDAP search: base=o=xxx_suffix scope=2 filterstr=(&(postaladdress=#56780,14thmain, ubcity, bangalore)(objectClass=posixaccount)) attrs=['cn', 'userPassword', 'enabled', 'mail', 'postaladdress', 'desc'] attrsonly=0 search_s /usr/lib/python2.7/site- packages/keystone/identity/backends/ldap/common.py:922 keystone.log:2018-04-19 04:26:04.680 72157 DEBUG keystone.identity.backends.ldap.common [req-3a092189-a85a-40da-8ffe-88bec3d430d8 d61bbf804a64cdc47df20632987500c868562fe0627fc9c49 7ca4494f96adcd8 9ea574babbca4cd5a5e336017aec1867 - fa87845eedd847708aa71d51ef84aea6 fa87845eedd847708aa71d51ef84aea6] LDAP search: base=cn=Users,dc=finktest,dc=org scope=2 filters tr=(&([email protected])(objectClass=user)) attrs=['description', 'userPassword', 'enabled', 'userPrincipalName', 'mail', 'cn'] attrsonly=0 search_s /usr/lib/py thon2.7/site-packages/keystone/identity/backends/ldap/common.py:922 ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1767323 Title: Keystone ldap logs personal information Status in OpenStack Identity (keystone): New Bug description: When OpenStack /Keystone is configured with ldap, it logs personal information in debug mode. The information logged is based completely on the parameters given as input while configuring ldap. But in a production environment, LDAP generally has information about real people (natural person) and with GDPR compliance around the corner, we should be very careful about what we log. Personal information about a natural person cannot be logged , stored or transferred without the consent of the person themselves. Having said that, the information logged below is very useful while debugging OpenStack/LDAP configuration issues. https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L920 2018-04-20 09:49:10.548 19412 DEBUG keystone.identity.backends.ldap.common [req- 7abe3850-9937-4867-a1a7-f92d7757ccb1 8ed02367de541e8741badb6ce097a975a9233b464e6d215dde7bac48a3f2f54a 6d6da87e2345480b93821568c958cc81 - 46f848196da64f9caaf8e5304bba870b 46f848196da64f9caaf8e5304bba870b] LDAP search: base=o=xxx_suffix scope=2 filterstr=(&(postaladdress=#56780,14thmain, ubcity, bangalore)(objectClass=posixaccount)) attrs=['cn', 'userPassword', 'enabled', 'mail', 'postaladdress', 'desc'] attrsonly=0 search_s /usr/lib/python2.7/site- packages/keystone/identity/backends/ldap/common.py:922 keystone.log:2018-04-19 04:26:04.680 72157 DEBUG keystone.identity.backends.ldap.common [req-3a092189-a85a-40da-8ffe-88bec3d430d8 d61bbf804a64cdc47df20632987500c868562fe0627fc9c49 7ca4494f96adcd8 9ea574babbca4cd5a5e336017aec1867 - fa87845eedd847708aa71d51ef84aea6 fa87845eedd847708aa71d51ef84aea6] LDAP search: base=cn=Users,dc=finktest,dc=org scope=2 filters tr=(&([email protected])(objectClass=user)) attrs=['description', 'userPassword', 'enabled', 'userPrincipalName', 'mail', 'cn'] attrsonly=0 search_s /usr/lib/py thon2.7/site-packages/keystone/identity/backends/ldap/common.py:922 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1767323/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
