yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1767323] [NEW] Keystone ldap logs personal information

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Divya K Konoor <dikonoor@xxxxxxxxxx>
Date: Fri, 27 Apr 2018 10:12:23 -0000
Reply-to: Bug 1767323 <1767323@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

When OpenStack /Keystone is configured with ldap, it logs personal
information in debug mode. The information logged is based completely on
the parameters given as input while configuring ldap. But in a
production environment, LDAP generally has information about real people
(natural person) and with GDPR compliance around the corner, we should
be very careful about what we log. Personal information about a natural
person cannot be logged , stored or transferred without the consent of
the person themselves. Having said that, the information logged below is
very useful while debugging OpenStack/LDAP configuration issues.

https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L920

2018-04-20 09:49:10.548 19412 DEBUG
keystone.identity.backends.ldap.common [req-
7abe3850-9937-4867-a1a7-f92d7757ccb1
8ed02367de541e8741badb6ce097a975a9233b464e6d215dde7bac48a3f2f54a
6d6da87e2345480b93821568c958cc81 - 46f848196da64f9caaf8e5304bba870b
46f848196da64f9caaf8e5304bba870b] LDAP search: base=o=xxx_suffix scope=2
filterstr=(&(postaladdress=#56780,14thmain, ubcity,
bangalore)(objectClass=posixaccount)) attrs=['cn', 'userPassword',
'enabled', 'mail', 'postaladdress', 'desc'] attrsonly=0 search_s
/usr/lib/python2.7/site-
packages/keystone/identity/backends/ldap/common.py:922

keystone.log:2018-04-19 04:26:04.680 72157 DEBUG keystone.identity.backends.ldap.common [req-3a092189-a85a-40da-8ffe-88bec3d430d8 d61bbf804a64cdc47df20632987500c868562fe0627fc9c49
7ca4494f96adcd8 9ea574babbca4cd5a5e336017aec1867 - fa87845eedd847708aa71d51ef84aea6 fa87845eedd847708aa71d51ef84aea6] LDAP search: base=cn=Users,dc=finktest,dc=org scope=2 filters
tr=(&(userPrincipalName=suma2@xxxxxxxxxxxx)(objectClass=user)) attrs=['description', 'userPassword', 'enabled', 'userPrincipalName', 'mail', 'cn'] attrsonly=0 search_s /usr/lib/py
thon2.7/site-packages/keystone/identity/backends/ldap/common.py:922

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1767323

Title:
  Keystone ldap logs personal information

Status in OpenStack Identity (keystone):
  New

Bug description:
  When OpenStack /Keystone is configured with ldap, it logs personal
  information in debug mode. The information logged is based completely
  on the parameters given as input while configuring ldap. But in a
  production environment, LDAP generally has information about real
  people (natural person) and with GDPR compliance around the corner, we
  should be very careful about what we log. Personal information about a
  natural person cannot be logged , stored or transferred without the
  consent of the person themselves. Having said that, the information
  logged below is very useful while debugging OpenStack/LDAP
  configuration issues.

  https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L920

  2018-04-20 09:49:10.548 19412 DEBUG
  keystone.identity.backends.ldap.common [req-
  7abe3850-9937-4867-a1a7-f92d7757ccb1
  8ed02367de541e8741badb6ce097a975a9233b464e6d215dde7bac48a3f2f54a
  6d6da87e2345480b93821568c958cc81 - 46f848196da64f9caaf8e5304bba870b
  46f848196da64f9caaf8e5304bba870b] LDAP search: base=o=xxx_suffix
  scope=2 filterstr=(&(postaladdress=#56780,14thmain, ubcity,
  bangalore)(objectClass=posixaccount)) attrs=['cn', 'userPassword',
  'enabled', 'mail', 'postaladdress', 'desc'] attrsonly=0 search_s
  /usr/lib/python2.7/site-
  packages/keystone/identity/backends/ldap/common.py:922

  keystone.log:2018-04-19 04:26:04.680 72157 DEBUG keystone.identity.backends.ldap.common [req-3a092189-a85a-40da-8ffe-88bec3d430d8 d61bbf804a64cdc47df20632987500c868562fe0627fc9c49
  7ca4494f96adcd8 9ea574babbca4cd5a5e336017aec1867 - fa87845eedd847708aa71d51ef84aea6 fa87845eedd847708aa71d51ef84aea6] LDAP search: base=cn=Users,dc=finktest,dc=org scope=2 filters
  tr=(&(userPrincipalName=suma2@xxxxxxxxxxxx)(objectClass=user)) attrs=['description', 'userPassword', 'enabled', 'userPrincipalName', 'mail', 'cn'] attrsonly=0 search_s /usr/lib/py
  thon2.7/site-packages/keystone/identity/backends/ldap/common.py:922

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1767323/+subscriptions