diff options
| author | ryanKor <equus3144@gmail.com> | 2021-10-09 12:05:43 +0900 |
|---|---|---|
| committer | Seongsoo Cho <ppiyakk2@printf.kr> | 2022-08-01 19:54:44 +0900 |
| commit | 62c52f5e61c009ad45fa3e8aeb049821d0b228eb (patch) | |
| tree | c8fc7aed629f20392c45eaa2815ce002500c33ab /openstackclient/common | |
| parent | 366e16473843c4388e1f3124e8ac732804a7ec5e (diff) | |
| download | python-openstackclient-62c52f5e61c009ad45fa3e8aeb049821d0b228eb.tar.gz | |
config: Also mask non-prefix config
The 'config show' command will show information about your current
configuration. When using a 'cloud.yaml' file and the 'OS_CLOUD'
environment variable, the output of this will look like so:
$ openstack config show
+---------------------------------------------+----------------------------------+
| Field | Value |
+---------------------------------------------+----------------------------------+
| additional_user_agent | [('osc-lib', '2.6.0')] |
| api_timeout | None |
| auth.auth_url | https://example.com:13000 |
| auth.password | <redacted> |
| auth.project_domain_id | default |
| auth.project_id | c73b7097d07c46f78eb4b4dcfbac5ca8 |
| auth.project_name | test-project |
| auth.user_domain_name | example.com |
| auth.username | john-doe |
...
All of the 'auth.'-prefixed values are extracted from the corresponding
entry in the 'clouds.yaml' file. You'll note that the 'auth.password'
value is not shown. Instead, it is masked and replaced with
'<redacted>'.
However, a 'clouds.yaml' file is not the only way to configure these
tools. You can also use old school environment variables. By using an
openrc file from Horizon (or the clouds2env tool [1]), we will set
various 'OS_'-prefixed environment variables. When you use the 'config
show' command with these environment variables set, we will see all of
these values appear in the output *without* an 'auth.' prefix. Scanning
down we will see the password value is not redacted.
$ openstack config show
+---------------------------------------------+----------------------------------+
| Field | Value |
+---------------------------------------------+----------------------------------+
| additional_user_agent | [('osc-lib', '2.6.0')] |
| api_timeout | None |
...
| password | secret-password |
...
This will also happen if using tokens. This is obviously incorrect.
These should be masked also. Make it so. This involves enhancing our
fake config generation code to generate config that looks like it came
from environment variables.
Change-Id: I560b928e5e6bcdcd89c409e0678dfc0d0b056c0e
Story: 2008816
Task: 42260
Diffstat (limited to 'openstackclient/common')
| -rw-r--r-- | openstackclient/common/configuration.py | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/openstackclient/common/configuration.py b/openstackclient/common/configuration.py index 49ef0e05..cb415505 100644 --- a/openstackclient/common/configuration.py +++ b/openstackclient/common/configuration.py @@ -45,7 +45,6 @@ class ShowConfiguration(command.ShowOne): return parser def take_action(self, parsed_args): - info = self.app.client_manager.get_configuration() # Assume a default secret list in case we do not have an auth_plugin @@ -63,4 +62,9 @@ class ShowConfiguration(command.ShowOne): value = REDACTED info['auth.' + key] = value + if parsed_args.mask: + for secret_opt in secret_opts: + if secret_opt in info: + info[secret_opt] = REDACTED + return zip(*sorted(info.items())) |