← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1487038] [NEW] nova.exception._cleanse_dict should use oslo_utils.strutils._SANITIZE_KEYS

 

Public bug reported:

The wrap_exception decorator in nova.exception uses the _cleanse_dict
helper method to remove any keys from the args/kwargs list of the method
that was called, but only checks those keys of the form *_pass:

http://git.openstack.org/cgit/openstack/nova/tree/nova/exception.py?id=12.0.0.0b2#n57

def _cleanse_dict(original):
    """Strip all admin_password, new_pass, rescue_pass keys from a dict."""
    return {k: v for k, v in six.iteritems(original) if "_pass" not in k}

The oslo_utils.strutils module has it's own list of keys to sanitized
used in it's mask_password method:

http://git.openstack.org/cgit/openstack/oslo.utils/tree/oslo_utils/strutils.py#n54

_SANITIZE_KEYS = ['adminPass', 'admin_pass', 'password', 'admin_password',
                  'auth_token', 'new_pass', 'auth_password', 'secret_uuid',
                  'sys_pswd']

The nova code should probably be using some form of the same thing that
strutils is using for mask_password, which uses a regex to find hits.
For example, if the arg was 'auth_token' or simply 'password',
_cleanse_dict would fail to filter it out.

You could also argue that the oslo.messaging log notifier should be
using oslo_utils.strutils.mask_password before it logs the message -
which isn't happening in that library today.

** Affects: nova
     Importance: Low
         Status: Confirmed

** Changed in: nova
       Status: New => Confirmed

** Changed in: nova
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1487038

Title:
  nova.exception._cleanse_dict should use
  oslo_utils.strutils._SANITIZE_KEYS

Status in OpenStack Compute (nova):
  Confirmed

Bug description:
  The wrap_exception decorator in nova.exception uses the _cleanse_dict
  helper method to remove any keys from the args/kwargs list of the
  method that was called, but only checks those keys of the form *_pass:

  http://git.openstack.org/cgit/openstack/nova/tree/nova/exception.py?id=12.0.0.0b2#n57

  def _cleanse_dict(original):
      """Strip all admin_password, new_pass, rescue_pass keys from a dict."""
      return {k: v for k, v in six.iteritems(original) if "_pass" not in k}

  The oslo_utils.strutils module has it's own list of keys to sanitized
  used in it's mask_password method:

  http://git.openstack.org/cgit/openstack/oslo.utils/tree/oslo_utils/strutils.py#n54

  _SANITIZE_KEYS = ['adminPass', 'admin_pass', 'password', 'admin_password',
                    'auth_token', 'new_pass', 'auth_password', 'secret_uuid',
                    'sys_pswd']

  The nova code should probably be using some form of the same thing
  that strutils is using for mask_password, which uses a regex to find
  hits.  For example, if the arg was 'auth_token' or simply 'password',
  _cleanse_dict would fail to filter it out.

  You could also argue that the oslo.messaging log notifier should be
  using oslo_utils.strutils.mask_password before it logs the message -
  which isn't happening in that library today.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1487038/+subscriptions


Follow ups