Bug 1665456

Summary: [OSP14] fixed_key value is logged in the cinder logs
Product: Red Hat OpenStack Reporter: Sofia Enriquez <senrique>
Component: openstack-cinderAssignee: Sofia Enriquez <senrique>
Status: CLOSED ERRATA QA Contact: Tzach Shefi <tshefi>
Severity: high Docs Contact: Tana <tberry>
Priority: medium    
Version: 14.0 (Rocky)CC: abishop, dhill, eharney, knylande, tshefi, tvignaud
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: 14.0 (Rocky)   
Hardware: Unspecified   
OS: All   
Whiteboard:
Fixed In Version: openstack-cinder-13.0.3-0.20190118014305.44c5314.el7ost Doc Type: Bug Fix
Doc Text:
Cause: The code in OSP10 used to detect which values to mask by looking for "_key" in the config option name, but this was changed to fix another similar issue. Consequence: fixed_key value is logged in the cinder logs. Fix: Add secret=true to fixed_key configuration parameter as that value shouldn't be logged. Result: fixed_key value isn't logged anymore.
 Story Points: ---
Clone Of: 1655742 Environment:
Last Closed: 2019-03-18 12:56:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1655742, 1665452    

Description Sofia Enriquez 2019-01-11 13:24:41 UTC 
+++ This bug was initially created as a clone of Bug #1655742 +++

Description of problem:
fixed_key value is logged in the cinder logs

How reproducible:
Always

Steps to Reproduce:
1. Set fixed_key value

Actual results:
It's logged in the logs

Expected results:
It shouldn't be logged

Additional info:

This appears to be an OSP10 z8 regression introduced by bug 1547600.

The code in OSP10 used to detect which values to mask by looking for "_key" in the config option name, but this was changed to fix another similar issue.
Comment 3 Tzach Shefi 2019-03-12 12:27:51 UTC 
Verified on:
openstack-cinder-13.0.3-0.20190118014305.44c5314.el7ost.noarch

Set fixed_key, restarted docker
We don't see the key (***) in log 


DEBUG oslo_service.service [req-f8de6475-36f0-4995-9710-6be06822d958 - - - - -] key_manager.fixed_key          = **** log_opt_values
Comment 6 errata-xmlrpc 2019-03-18 12:56:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0586