yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #72643
[Bug 1767323] [NEW] Keystone ldap logs personal information
Public bug reported:
When OpenStack /Keystone is configured with ldap, it logs personal
information in debug mode. The information logged is based completely on
the parameters given as input while configuring ldap. But in a
production environment, LDAP generally has information about real people
(natural person) and with GDPR compliance around the corner, we should
be very careful about what we log. Personal information about a natural
person cannot be logged , stored or transferred without the consent of
the person themselves. Having said that, the information logged below is
very useful while debugging OpenStack/LDAP configuration issues.
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L920
2018-04-20 09:49:10.548 19412 DEBUG
keystone.identity.backends.ldap.common [req-
7abe3850-9937-4867-a1a7-f92d7757ccb1
8ed02367de541e8741badb6ce097a975a9233b464e6d215dde7bac48a3f2f54a
6d6da87e2345480b93821568c958cc81 - 46f848196da64f9caaf8e5304bba870b
46f848196da64f9caaf8e5304bba870b] LDAP search: base=o=xxx_suffix scope=2
filterstr=(&(postaladdress=#56780,14thmain, ubcity,
bangalore)(objectClass=posixaccount)) attrs=['cn', 'userPassword',
'enabled', 'mail', 'postaladdress', 'desc'] attrsonly=0 search_s
/usr/lib/python2.7/site-
packages/keystone/identity/backends/ldap/common.py:922
keystone.log:2018-04-19 04:26:04.680 72157 DEBUG keystone.identity.backends.ldap.common [req-3a092189-a85a-40da-8ffe-88bec3d430d8 d61bbf804a64cdc47df20632987500c868562fe0627fc9c49
7ca4494f96adcd8 9ea574babbca4cd5a5e336017aec1867 - fa87845eedd847708aa71d51ef84aea6 fa87845eedd847708aa71d51ef84aea6] LDAP search: base=cn=Users,dc=finktest,dc=org scope=2 filters
tr=(&(userPrincipalName=suma2@xxxxxxxxxxxx)(objectClass=user)) attrs=['description', 'userPassword', 'enabled', 'userPrincipalName', 'mail', 'cn'] attrsonly=0 search_s /usr/lib/py
thon2.7/site-packages/keystone/identity/backends/ldap/common.py:922
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1767323
Title:
Keystone ldap logs personal information
Status in OpenStack Identity (keystone):
New
Bug description:
When OpenStack /Keystone is configured with ldap, it logs personal
information in debug mode. The information logged is based completely
on the parameters given as input while configuring ldap. But in a
production environment, LDAP generally has information about real
people (natural person) and with GDPR compliance around the corner, we
should be very careful about what we log. Personal information about a
natural person cannot be logged , stored or transferred without the
consent of the person themselves. Having said that, the information
logged below is very useful while debugging OpenStack/LDAP
configuration issues.
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L920
2018-04-20 09:49:10.548 19412 DEBUG
keystone.identity.backends.ldap.common [req-
7abe3850-9937-4867-a1a7-f92d7757ccb1
8ed02367de541e8741badb6ce097a975a9233b464e6d215dde7bac48a3f2f54a
6d6da87e2345480b93821568c958cc81 - 46f848196da64f9caaf8e5304bba870b
46f848196da64f9caaf8e5304bba870b] LDAP search: base=o=xxx_suffix
scope=2 filterstr=(&(postaladdress=#56780,14thmain, ubcity,
bangalore)(objectClass=posixaccount)) attrs=['cn', 'userPassword',
'enabled', 'mail', 'postaladdress', 'desc'] attrsonly=0 search_s
/usr/lib/python2.7/site-
packages/keystone/identity/backends/ldap/common.py:922
keystone.log:2018-04-19 04:26:04.680 72157 DEBUG keystone.identity.backends.ldap.common [req-3a092189-a85a-40da-8ffe-88bec3d430d8 d61bbf804a64cdc47df20632987500c868562fe0627fc9c49
7ca4494f96adcd8 9ea574babbca4cd5a5e336017aec1867 - fa87845eedd847708aa71d51ef84aea6 fa87845eedd847708aa71d51ef84aea6] LDAP search: base=cn=Users,dc=finktest,dc=org scope=2 filters
tr=(&(userPrincipalName=suma2@xxxxxxxxxxxx)(objectClass=user)) attrs=['description', 'userPassword', 'enabled', 'userPrincipalName', 'mail', 'cn'] attrsonly=0 search_s /usr/lib/py
thon2.7/site-packages/keystone/identity/backends/ldap/common.py:922
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1767323/+subscriptions