yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #37065
[Bug 1487038] [NEW] nova.exception._cleanse_dict should use oslo_utils.strutils._SANITIZE_KEYS
Public bug reported:
The wrap_exception decorator in nova.exception uses the _cleanse_dict
helper method to remove any keys from the args/kwargs list of the method
that was called, but only checks those keys of the form *_pass:
http://git.openstack.org/cgit/openstack/nova/tree/nova/exception.py?id=12.0.0.0b2#n57
def _cleanse_dict(original):
"""Strip all admin_password, new_pass, rescue_pass keys from a dict."""
return {k: v for k, v in six.iteritems(original) if "_pass" not in k}
The oslo_utils.strutils module has it's own list of keys to sanitized
used in it's mask_password method:
http://git.openstack.org/cgit/openstack/oslo.utils/tree/oslo_utils/strutils.py#n54
_SANITIZE_KEYS = ['adminPass', 'admin_pass', 'password', 'admin_password',
'auth_token', 'new_pass', 'auth_password', 'secret_uuid',
'sys_pswd']
The nova code should probably be using some form of the same thing that
strutils is using for mask_password, which uses a regex to find hits.
For example, if the arg was 'auth_token' or simply 'password',
_cleanse_dict would fail to filter it out.
You could also argue that the oslo.messaging log notifier should be
using oslo_utils.strutils.mask_password before it logs the message -
which isn't happening in that library today.
** Affects: nova
Importance: Low
Status: Confirmed
** Changed in: nova
Status: New => Confirmed
** Changed in: nova
Importance: Undecided => Low
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1487038
Title:
nova.exception._cleanse_dict should use
oslo_utils.strutils._SANITIZE_KEYS
Status in OpenStack Compute (nova):
Confirmed
Bug description:
The wrap_exception decorator in nova.exception uses the _cleanse_dict
helper method to remove any keys from the args/kwargs list of the
method that was called, but only checks those keys of the form *_pass:
http://git.openstack.org/cgit/openstack/nova/tree/nova/exception.py?id=12.0.0.0b2#n57
def _cleanse_dict(original):
"""Strip all admin_password, new_pass, rescue_pass keys from a dict."""
return {k: v for k, v in six.iteritems(original) if "_pass" not in k}
The oslo_utils.strutils module has it's own list of keys to sanitized
used in it's mask_password method:
http://git.openstack.org/cgit/openstack/oslo.utils/tree/oslo_utils/strutils.py#n54
_SANITIZE_KEYS = ['adminPass', 'admin_pass', 'password', 'admin_password',
'auth_token', 'new_pass', 'auth_password', 'secret_uuid',
'sys_pswd']
The nova code should probably be using some form of the same thing
that strutils is using for mask_password, which uses a regex to find
hits. For example, if the arg was 'auth_token' or simply 'password',
_cleanse_dict would fail to filter it out.
You could also argue that the oslo.messaging log notifier should be
using oslo_utils.strutils.mask_password before it logs the message -
which isn't happening in that library today.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1487038/+subscriptions
Follow ups