Description of problem: horizon by default logs messages up to the DEBUG level in /var/log/horizon/horizon.log and these contain clear text passwords I think logging of DEBUG messages should not be enabled by default and passwords should not go printed in clear text there anyway. Version-Release number of selected component (if applicable): python-django-horizon-2014.1-7.el7ost.noarch
I'm fairly sure the logging is set to INFO by default in the default configuration file, I suspect the installer you're using may be setting it to DEBUG. Could you include a log sample, obscuring the actual password(s) as needed, so we can see which client requests is being logged that way? I'm thinking of things like bug https://bugs.launchpad.net/keystone/+bug/1004114 . Looking at that bug's history I'm not sure it was ever fixed in the python-keystoneclient (or if it will be, see e.g. https://review.openstack.org/#/c/42467/2//COMMIT_MSG on one of the abandoned patch).
hi there, thanks for picking this up! It seems to be the keystone client as you suggested: 2014-06-09 08:41:36,538 1748 DEBUG openstack_auth.backend Beginning user authentication for user "admin". 2014-06-09 08:41:36,538 1748 DEBUG keystoneclient.session REQ: curl -i -X POST http://192.168.4.2:5000/v2.0/tokens -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -d '{"auth": {"passwordCredentials": {"username": "admin", "password": "wrongpass"}}}' my fault for not having noticed that in the first place; maybe the upstream LP bug I opened also is a duplicate of LP 1004114 then?
I think so, so I marked it as a duplicate upstream. It looks like a few people have reported it several times too, looking at the "Duplicates" history. I added a comment on the original bug (LP 1004114) as it seems the Keystone client patch was abandoned and might not get picked up again, feel free to chime in and add a comment with your opinion to that report as well. Should we close this BZ or move it to another component? I had a quick browse through Keystone / Keystone client bugs but didn't notice anything related at first glance.
*** Bug 1153055 has been marked as a duplicate of this bug. ***
behavior currently is that when keystone logs are set to debug, keystone now logs properly without passwords being written to the log files...just informational text. However, horizon logs (/var/log/horizon/horizon.log /var/log/httpd/horizon_access.log /var/log/httpd/horizon_error.log) all log NOTHING after debug was set in /etc/openstack-dashboard/local-settings and the services restarted. logs were triggered by the curl command above (with localhost substituted for your ip). Please advise on the expected behavior from horizon.
How did you configure logging to log at the DEBUG level in Horizon? Could you provide the LOGGING dictionary from /etc/openstack-dashboard/local_settings?
Created attachment 948487 [details] /etc/openstack-dashboard/local-settings logger section please see attachment (1106328.out)
Thanks Mike, the Keystone client is set to DEBUG and goes to the 'file' handler, which is set to DEBUG as well so that should be enough to verify this bug. If it was set like this before updating the keystone client, restarting httpd without any change should be enough to see the new output going to /var/log/horizon/horizon.log . I'm not sure why nothing at all would be logged. Is the DEBUG variable at the top of the file set to False? (This is more of a development debugging feature that should never be True on a production system.)
Julie, The debug variable was set to True through all of this, and still no logging; this behavior is experienced by a colleague of mine as well. Please advise
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2014-1784.html