yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1333440] Re: Secure Site Recommendations does not discuss LOGGING settings

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Akihiro Motoki <1333440@xxxxxxxxxxxxxxxxxx>
Date: Sun, 28 Feb 2021 10:08:57 -0000
Reply-to: Bug 1333440 <1333440@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

As of 2021, keystoneauth1 is used to communicate back-end services.
keystoneauth1 handles the underlying http connections and is in charge
of DEBUG logging. It no longer records credentials like user password.
token ID is still logged but token is ephemeral so I think this issue
has been addressed.

** Changed in: horizon
     Assignee: Annapoornima Koppad (annakoppad) => (unassigned)

** Changed in: horizon
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1333440

Title:
  Secure Site Recommendations does not discuss LOGGING settings

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  The Secure Site Recommendations
  (http://docs.openstack.org/developer/horizon/topics/deployment.html
  #secure-site-recommendations) does not mention anything about the
  LOGGING section. One specific issue that should be covered is that if
  you ship the example config file, it will log the keystone requests as
  DEBUG and that will log plaintext passwords. This is very dangerous.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1333440/+subscriptions

References

[Bug 1333440] [NEW] Secure Site Recommendations does not discuss LOGGING settings
From: Matt Fischer, 2014-06-23