← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1380642] [NEW] Horizon should not log token

 

Public bug reported:

It is Horizon version of bug 1327019.
Various modules in openstack_dashboard/api logs token.
In other modules, token value is not logged now and is output as *REDACTED* or some similar string.
In Horizon case, these log lines are simply removed to fix the issue as it seems this logging is unnecessary in most cases.

I don't think this needs to be private based on the discussion in bug
1327019.

  def novaclient(request):
    insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
    cacert = getattr(settings, 'OPENSTACK_SSL_CACERT', None)
    LOG.debug('novaclient connection created using token "%s" and url "%s"' %
              (request.user.token.id, base.url_for(request, 'compute')))
    c = nova_client.Client(request.user.username,
                           request.user.token.id,
                           project_id=request.user.tenant_id,
                           auth_url=base.url_for(request, 'compute'),
                           insecure=insecure,
                           cacert=cacert,
                           http_log_debug=settings.DEBUG)
    c.client.auth_token = request.user.token.id
    c.client.management_url = base.url_for(request, 'compute')
    return c

** Affects: horizon
     Importance: High
     Assignee: Akihiro Motoki (amotoki)
         Status: New


** Tags: security

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1380642

Title:
  Horizon should not log token

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  It is Horizon version of bug 1327019.
  Various modules in openstack_dashboard/api logs token.
  In other modules, token value is not logged now and is output as *REDACTED* or some similar string.
  In Horizon case, these log lines are simply removed to fix the issue as it seems this logging is unnecessary in most cases.

  I don't think this needs to be private based on the discussion in bug
  1327019.

    def novaclient(request):
      insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
      cacert = getattr(settings, 'OPENSTACK_SSL_CACERT', None)
      LOG.debug('novaclient connection created using token "%s" and url "%s"' %
                (request.user.token.id, base.url_for(request, 'compute')))
      c = nova_client.Client(request.user.username,
                             request.user.token.id,
                             project_id=request.user.tenant_id,
                             auth_url=base.url_for(request, 'compute'),
                             insecure=insecure,
                             cacert=cacert,
                             http_log_debug=settings.DEBUG)
      c.client.auth_token = request.user.token.id
      c.client.management_url = base.url_for(request, 'compute')
      return c

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1380642/+subscriptions


Follow ups

References