yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #29379
[Bug 1348838] Re: Glance logs password hashes in swift URLs
** Also affects: glance/icehouse
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1348838
Title:
Glance logs password hashes in swift URLs
Status in OpenStack Image Registry and Delivery Service (Glance):
Fix Released
Status in Glance icehouse series:
New
Bug description:
Example:
2014-07-25 20:03:36.346 780 DEBUG glance.registry.api.v1.images
[1c66afef-0bc9-4413-b63a-c81585c2a981 2eae458f42e64420af5e3a2cab07e03a
9bc19f6aabc944c382bf553cb8131b17 - - -] Updating image dfd7e14c-
eb02-487e-8112-d1881ae031d9 with metadata: {u'status': u'active',
'locations':
[u'swift+http://service%3Aimage:GyQLQqJbh3jzBfRvAs8nw8WDQ3xUtO7nw49t33R96WddHww0zJ2CSU7AtgFtf76J@proxy:8770/v2.0
/glance-images/dfd7e14c-eb02-487e-8112-d1881ae031d9']} update
/usr/lib/python2.7/dist-packages/glance/registry/api/v1/images.py:445
We've found that the following regex will catch all of the password
hashes:
r"(swift|swift\+http|swift\+https)://(.*?:)?.*?@"
Since it's a debug-level log message, we can avoid leaking sensitive
data by turning off debug logging, but we often find ourselves needing
the debug logs to diagnose issues. We'd like to fix this problem at
the source by sanitizing our the password hashes.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1348838/+subscriptions
References