yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1348844] Re: Keystone logs auth tokens in URLs at log level info

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Nathan Kinder <nkinder@xxxxxxxxxx>
Date: Fri, 12 Sep 2014 04:20:20 -0000
Reply-to: Bug 1348844 <1348844@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This was published as OSSN-0023:

  https://wiki.openstack.org/wiki/OSSN/OSSN-0023

** Changed in: ossn
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1348844

Title:
  Keystone logs auth tokens in URLs at log level info

Status in OpenStack Identity (Keystone):
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  Example:

  2014-07-25 22:28:25.352 1458 INFO eventlet.wsgi.server [-]
  10.241.1.50,10.241.1.80 - - [25/Jul/2014 22:28:25] "GET
  /v2.0/tokens/d5036612660543a3a9b8054c79dea8d3 HTTP/1.1" 200 3174
  0.021630

  We've found that this regex can catch all of these messages:

  /v2.0/tokens/[\da-f]{32}

  Keystone also logs a bunch of other sensitive data in debug level
  messages, but this one it still present even if you only take info
  level messages and above.  We'd like to solve this problem at the
  source instead of greping it out of our log files.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1348844/+subscriptions

References

[Bug 1348844] [NEW] Keystone logs auth tokens in URLs at log level info
From: Joel Friedly, 2014-07-25