yahoo-eng-team team mailing list archive

[Alan Pevec <1348838@xxxxxxxxxxxxxxxxxx>]

** Also affects: glance/icehouse
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1348838

Title:
  Glance logs password hashes in swift URLs

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released
Status in Glance icehouse series:
  New

Bug description:
  Example:

  2014-07-25 20:03:36.346 780 DEBUG glance.registry.api.v1.images
  [1c66afef-0bc9-4413-b63a-c81585c2a981 2eae458f42e64420af5e3a2cab07e03a
  9bc19f6aabc944c382bf553cb8131b17 - - -] Updating image dfd7e14c-
  eb02-487e-8112-d1881ae031d9 with metadata: {u'status': u'active',
  'locations':
  [u'swift+http://service%3Aimage:GyQLQqJbh3jzBfRvAs8nw8WDQ3xUtO7nw49t33R96WddHww0zJ2CSU7AtgFtf76J@proxy:8770/v2.0
  /glance-images/dfd7e14c-eb02-487e-8112-d1881ae031d9']} update
  /usr/lib/python2.7/dist-packages/glance/registry/api/v1/images.py:445

  We've found that the following regex will catch all of the password
  hashes:

  r"(swift|swift\+http|swift\+https)://(.*?:)?.*?@"

  Since it's a debug-level log message, we can avoid leaking sensitive
  data by turning off debug logging, but we often find ourselves needing
  the debug logs to diagnose issues.  We'd like to fix this problem at
  the source by sanitizing our the password hashes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1348838/+subscriptions