Public bug reported: Example:
2014-07-25 20:03:36.346 780 DEBUG glance.registry.api.v1.images [1c66afef-0bc9-4413-b63a-c81585c2a981 2eae458f42e64420af5e3a2cab07e03a 9bc19f6aabc944c382bf553cb8131b17 - - -] Updating image dfd7e14c- eb02-487e-8112-d1881ae031d9 with metadata: {u'status': u'active', 'locations': [u'swift+http://service%3Aimage:GyQLQqJbh3jzBfRvAs8nw8WDQ3xUtO7nw49t33R96WddHww0zJ2CSU7AtgFtf76J@proxy:8770/v2.0 /glance-images/dfd7e14c-eb02-487e-8112-d1881ae031d9']} update /usr/lib/python2.7/dist-packages/glance/registry/api/v1/images.py:445 We've found that the following regex will catch all of the password hashes: r"(swift|swift\+http|swift\+https)://(.*?:)?.*?@" Since it's a debug-level log message, we can avoid leaking sensitive data by turning off debug logging, but we often find ourselves needing the debug logs to diagnose issues. We'd like to fix this problem at the source by sanitizing our the password hashes. ** Affects: glance Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1348838 Title: Glance logs password hashes in swift URLs Status in OpenStack Image Registry and Delivery Service (Glance): New Bug description: Example: 2014-07-25 20:03:36.346 780 DEBUG glance.registry.api.v1.images [1c66afef-0bc9-4413-b63a-c81585c2a981 2eae458f42e64420af5e3a2cab07e03a 9bc19f6aabc944c382bf553cb8131b17 - - -] Updating image dfd7e14c- eb02-487e-8112-d1881ae031d9 with metadata: {u'status': u'active', 'locations': [u'swift+http://service%3Aimage:GyQLQqJbh3jzBfRvAs8nw8WDQ3xUtO7nw49t33R96WddHww0zJ2CSU7AtgFtf76J@proxy:8770/v2.0 /glance-images/dfd7e14c-eb02-487e-8112-d1881ae031d9']} update /usr/lib/python2.7/dist-packages/glance/registry/api/v1/images.py:445 We've found that the following regex will catch all of the password hashes: r"(swift|swift\+http|swift\+https)://(.*?:)?.*?@" Since it's a debug-level log message, we can avoid leaking sensitive data by turning off debug logging, but we often find ourselves needing the debug logs to diagnose issues. We'd like to fix this problem at the source by sanitizing our the password hashes. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1348838/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp