As per https://bugs.launchpad.net/ossa/+bug/1630822 user password are being output in plaintext if run with --debug I've confirmed as needing to be fixed in OSP 10, e.g. running $ openstack --debug baremetal import --json ~/instackenv.json displays the line auth_config_hook(): ... 'password': '5fXXXXXXXXdb', 'app X 3 All but one patch has been merged in master and newton branches upstream https://review.openstack.org/#/q/topic:bug/1630822 We need to patch the file client_config.py in both osc-lib and openstackclient
python-openstackclient-3.2.1-1.el7ost contains the fix
Testing ======= With the following RPMs installed, passwords are correctly shown as obfuscated ("***") when using --debug or -vv. # rpm -qa python-openstackclient python-openstackclient-3.2.1-1.el7ost.noarch # rpm -qa python-osc-lib python-osc-lib-1.1.0-3.el7ost.noarch $ openstack --debug baremetal import --json ~/instackenv.json [...] auth_config_hook(): {'auth_type': 'password', [...], 'password': '***', 'app [...] [...] Using parameters {'username': 'admin', 'project_name': 'admin', 'password': '***', 'auth_url': 'https://192.0.2.2:13000/v2.0'} $ openstack -vv image list [...] auth_config_hook(): {'auth_type': 'password', [...], 'password': '***', [...] [...] Using parameters {'username': 'admin', 'project_name': 'admin', 'password': '***', 'auth_url': 'https://192.0.2.2:13000/v2.0'}
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1587