From a37addb7b034105ce03ee35a0a1610d191c4b269 Mon Sep 17 00:00:00 2001 From: Matt Riedemann Date: Wed, 5 Oct 2016 21:11:16 -0400 Subject: Mask passwords in debug logs for auth_config_hook The auth config hook can have credentials in it so we have to mask the config before logging it. To avoid doing the work of masking the password if we aren't going to log it, there is a conditional put around the actual debug statement. Conflicts: openstackclient/common/client_config.py NOTE(mriedem): The conflict was due to imports. Change-Id: I8e626672ec94fc837610216bccb4354dbdedca17 Closes-Bug: #1630822 (cherry picked from commit cd1a412408f068aeef97c1ee368400307fce7733) --- openstackclient/common/client_config.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'openstackclient/common') diff --git a/openstackclient/common/client_config.py b/openstackclient/common/client_config.py index 895909e9..273d6623 100644 --- a/openstackclient/common/client_config.py +++ b/openstackclient/common/client_config.py @@ -16,6 +16,8 @@ import logging from os_client_config import config +from oslo_utils import strutils +import six LOG = logging.getLogger(__name__) @@ -179,7 +181,9 @@ class OSC_Config(config.OpenStackConfig): config = self._auth_v2_ignore_v3(config) config = self._auth_default_domain(config) - LOG.debug("auth_config_hook(): %s" % config) + if LOG.isEnabledFor(logging.DEBUG): + LOG.debug("auth_config_hook(): %s", + strutils.mask_password(six.text_type(config))) return config def _validate_auth_ksc(self, config, cloud, fixed_argparse=None): -- cgit v1.2.1