Bug 989271

Summary: Avoid logging sensitive details when using password based authentication
Product: [Retired] Beaker Reporter: Nick Coghlan <ncoghlan>
Component: web UIAssignee: Dan Callaghan <dcallagh>
Status: CLOSED CURRENTRELEASE QA Contact: tools-bugs <tools-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: developCC: aigao, asaha, dcallagh, llim, qwan, rmancy, xjia
Target Milestone: 0.14   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-09 03:23:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nick Coghlan 2013-07-29 00:48:41 UTC 
In Beaker 0.13 and earlier, the server-debug logs need to be treated as containing sensitive data, as they record such data when clients use password based authentication (rather than Kerberos ticket based authorisation).

This has been fixed for 0.14 (see http://gerrit.beaker-project.org/#/c/2101/) to avoid capturing the unneeded sensitive details.
Comment 2 xjia 2013-07-29 03:13:40 UTC 
Verify:
server-debug.log:Jul 27 03:39:27 beaker-devel beaker-server[14185]: bkr.server.xmlrpccontroller DEBUG Time: 0:00:00.000122 auth.renew_session

Version:
beaker-server-0.13.2-1.git.81.54e9513.el6eng.noarch
beaker-0.13.2-1.git.72.7543e3e.el6.noarch
beaker-server-redhat-0.1.14-1.git.3.ff982cb.el6.noarch
Comment 3 Dan Callaghan 2013-08-09 03:23:48 UTC 
Beaker 0.14.1 has been released.