+++ This bug was initially created as a clone of Bug #1424879 +++ Description of problem: Reported by Hans Feldt, Ericsson Password written in clear text in heat-api.log with DEBUG mode Because this is debug, it is a hardening issue; no CVE is attached. Upstream bug: https://bugs.launchpad.net/heat/+bug/1664792 Affected code: heat/common/serializers.py: 31 class JSONResponseSerializer(object): 32 33 def to_json(self, data): 34 def sanitizer(obj): 35 if isinstance(obj, datetime.datetime): 36 return obj.isoformat() 37 return six.text_type(obj) 38 39 response = jsonutils.dumps(data, default=sanitizer) 40 LOG.debug("JSON response : %s" % response) # <- HERE Version-Release number of selected component (if applicable): Steps to Reproduce: 1. Create overcloud 2. View /var/log/heat/heat-api.log 3. Grep for AdminPassword Actual results: Plain text is used for passwords Expected results: Plain text should never be used for passwords
Fix merged upstream.