[Yahoo-eng-team] [Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled

For Bandit I'm marking "Won't fix": Offending code is: LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', { 'action': action, 'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])}) There's no indication of what the kwargs are, so without a runtime integration (ta

[Yahoo-eng-team] [Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled

** Changed in: keystone/juno Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1465922 Title: Password visible in clear te

[Yahoo-eng-team] [Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled

We would typically issue an OSSN for such behaviour, it's somewhat boilerplate but it's important to document the issue, particularly as a number of production workloads run in debug mode. I also think it's interesting that Bandit didn't catch this, it's pretty good at finding these sorts of issue

[Yahoo-eng-team] [Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled

** Changed in: keystone/kilo Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1465922 Title: Password visible in clear text in keystone.log wh

[Yahoo-eng-team] [Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled

** Changed in: keystone Status: Fix Committed => Fix Released ** Changed in: keystone Milestone: None => liberty-2 -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1465922 Title

[Yahoo-eng-team] [Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled

** Also affects: keystone/kilo Importance: Undecided Status: New ** Also affects: keystone/juno Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad

[Yahoo-eng-team] [Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled

Was able to recreate locally on master. ** Changed in: keystone Status: Won't Fix => Confirmed ** Changed in: keystone Importance: Undecided => Medium ** Changed in: keystone Assignee: (unassigned) => Brant Knudson (blk-u) -- You received this bug notification because you are a

[Yahoo-eng-team] [Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled

I believe the same it true in Keystone based on what Jeremy has linked above. ** Changed in: keystone Status: New => Won't Fix -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/146592

[Yahoo-eng-team] [Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled

The OpenStack VMT currently considers (based on existing precedent) disclosure of sensitive information in debug-level logging a security hardening opportunity, and does not issue security advisories for it. This is class D in our report taxonomy: https://security.openstack.org /vmt-process.html#in