yahoo-eng-team team mailing list archive

["Davanum Srinivas \(DIMS\)" <davanum@xxxxxxxxx>]

** Changed in: oslo.messaging
       Status: Fix Committed => Fix Released

** Changed in: oslo.messaging
    Milestone: None => 2.4.0

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1487038

Title:
  nova.exception._cleanse_dict should use
  oslo_utils.strutils._SANITIZE_KEYS

Status in OpenStack Compute (nova):
  In Progress
Status in oslo.messaging:
  Fix Released

Bug description:
  The wrap_exception decorator in nova.exception uses the _cleanse_dict
  helper method to remove any keys from the args/kwargs list of the
  method that was called, but only checks those keys of the form *_pass:

  http://git.openstack.org/cgit/openstack/nova/tree/nova/exception.py?id=12.0.0.0b2#n57

  def _cleanse_dict(original):
      """Strip all admin_password, new_pass, rescue_pass keys from a dict."""
      return {k: v for k, v in six.iteritems(original) if "_pass" not in k}

  The oslo_utils.strutils module has it's own list of keys to sanitized
  used in it's mask_password method:

  http://git.openstack.org/cgit/openstack/oslo.utils/tree/oslo_utils/strutils.py#n54

  _SANITIZE_KEYS = ['adminPass', 'admin_pass', 'password', 'admin_password',
                    'auth_token', 'new_pass', 'auth_password', 'secret_uuid',
                    'sys_pswd']

  The nova code should probably be using some form of the same thing
  that strutils is using for mask_password, which uses a regex to find
  hits.  For example, if the arg was 'auth_token' or simply 'password',
  _cleanse_dict would fail to filter it out.

  You could also argue that the oslo.messaging log notifier should be
  using oslo_utils.strutils.mask_password before it logs the message -
  which isn't happening in that library today.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1487038/+subscriptions