yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1348844] Re: Keystone logs auth tokens in URLs at log level info

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1348844@xxxxxxxxxxxxxxxxxx>
Date: Wed, 30 Jul 2014 23:04:31 -0000
Reply-to: Bug 1348844 <1348844@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I'd say this is Won't Fix for v2.0. You can use custom logging levels in
eventlet.wsgi.server to suppress this class of logs altogether, but our
solution to the "tokens in URLs" problem was solved by introducing v3
which does not do that - we can't change the v2 API, and I'm not sure
it's a good idea to suppress all of eventlet.wsgi.server INFO logs as
the default upstream behavior. Alternatively, deploy to httpd and tune
the access logs there :)

** Changed in: keystone
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1348844

Title:
  Keystone logs auth tokens in URLs at log level info

Status in OpenStack Identity (Keystone):
  Won't Fix

Bug description:
  Example:

  2014-07-25 22:28:25.352 1458 INFO eventlet.wsgi.server [-]
  10.241.1.50,10.241.1.80 - - [25/Jul/2014 22:28:25] "GET
  /v2.0/tokens/d5036612660543a3a9b8054c79dea8d3 HTTP/1.1" 200 3174
  0.021630

  We've found that this regex can catch all of these messages:

  /v2.0/tokens/[\da-f]{32}

  Keystone also logs a bunch of other sensitive data in debug level
  messages, but this one it still present even if you only take info
  level messages and above.  We'd like to solve this problem at the
  source instead of greping it out of our log files.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1348844/+subscriptions

References

[Bug 1348844] [NEW] Keystone logs auth tokens in URLs at log level info
From: Joel Friedly, 2014-07-25