yahoo-eng-team team mailing list archive

[OpenStack Infra <1479523@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/207226
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2afad4dc30cd1e210f2353ce987fe1bbdd8b93d7
Submitter: Jenkins
Branch:    master

commit 2afad4dc30cd1e210f2353ce987fe1bbdd8b93d7
Author: Brant Knudson <bknudson@xxxxxxxxxx>
Date:   Wed Jul 29 16:29:42 2015 -0500

    Config option for insecure responses
    
    oslo.log's "debug" option was co-opted to also indicate that the
    responses should include more information. A separate config
    option should be used instead so that deployers don't mistakenly
    expose themselves to security issues.
    
    The debug option still is used for what it does in oslo.log and
    how it works on all other projects -- if you're not using a log
    config file it sets the base logger to debug.
    
    SecurityImpact
    
    Change-Id: Icf8dd2f0b88abc89092d487bbcefb525960c4ec6
    Closes-Bug: 1479523


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1479523

Title:
  Stop using debug for insecure responses

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  
  If you set debug=true in keystone.conf the server 1) logs at debug level, and 2) sends out insecure responses. Deployers might think that debug=true only does 1, not knowing about 2 since it's not documented in the sample config. The behaviors should be decoupled to improve security a bit.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1479523/+subscriptions