yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1348838] Re: Glance logs password hashes in swift URLs

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Fri, 05 Sep 2014 10:08:54 -0000
Reply-to: Bug 1348838 <1348838@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: glance
       Status: Fix Committed => Fix Released

** Changed in: glance
    Milestone: None => juno-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1348838

Title:
  Glance logs password hashes in swift URLs

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released

Bug description:
  Example:

  2014-07-25 20:03:36.346 780 DEBUG glance.registry.api.v1.images
  [1c66afef-0bc9-4413-b63a-c81585c2a981 2eae458f42e64420af5e3a2cab07e03a
  9bc19f6aabc944c382bf553cb8131b17 - - -] Updating image dfd7e14c-
  eb02-487e-8112-d1881ae031d9 with metadata: {u'status': u'active',
  'locations':
  [u'swift+http://service%3Aimage:GyQLQqJbh3jzBfRvAs8nw8WDQ3xUtO7nw49t33R96WddHww0zJ2CSU7AtgFtf76J@proxy:8770/v2.0
  /glance-images/dfd7e14c-eb02-487e-8112-d1881ae031d9']} update
  /usr/lib/python2.7/dist-packages/glance/registry/api/v1/images.py:445

  We've found that the following regex will catch all of the password
  hashes:

  r"(swift|swift\+http|swift\+https)://(.*?:)?.*?@"

  Since it's a debug-level log message, we can avoid leaking sensitive
  data by turning off debug logging, but we often find ourselves needing
  the debug logs to diagnose issues.  We'd like to fix this problem at
  the source by sanitizing our the password hashes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1348838/+subscriptions

References

[Bug 1348838] [NEW] Glance logs password hashes in swift URLs
From: Joel Friedly, 2014-07-25