Description of problem: fixed_key value is logged in the cinder logs Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Set fixed_key value 2. 3. Actual results: It's logged in the logs Expected results: It shouldn't be logged Additional info:
This appears to be an OSP10 z8 regression introduced by bug 1547600. The code in OSP10 used to detect which values to mask by looking for "_key" in the config option name, but this was changed to fix another similar issue. We will need a fix like https://review.openstack.org/#/c/621686/ for this to be backported to OSP10.
@Sofia, there's some background on this issue, so poke Eric or I if you have questions.
@Alan, I'm waiting to https://review.openstack.org/#/c/625140/1 to be merged, so I could upstream backport to Newton and then downstream backport to OSP10.
Verified on: openstack-cinder-9.1.4-49.el7ost.noarch Installed OPS10 Configured fixed_key on cinder.conf [root@controller-0 ~]# grep fixed_key /etc/cinder/cinder.conf # Deprecated group/name - [keymgr]/fixed_key #fixed_key = <None> fixed_key=04d6b077d60e323711b37813b3a68a71 restart cinder [root@controller-0 ~]# systemctl restart openstack-cinder-api.service [root@controller-0 ~]# systemctl restart openstack-cinder-volume.service grep fixed_key in cinder's log -> [root@controller-0 ~]# grep -irn fixed_key /var/log/cinder/ /var/log/cinder/api.log:1449:2019-03-31 14:46:01.610 61696 DEBUG oslo_service.service [req-2eaf0f8e-9daa-4936-94e2-152ae8af4d71 - - - - -] key_manager.fixed_key = **** log_opt_values /usr/lib/python2.7/site-packages/oslo_config/cfg.py:2630 /var/log/cinder/api.log:2954:2019-03-31 14:50:12.670 90599 DEBUG oslo_service.service [req-81d0ac35-a3a5-44d8-a69d-069a430ecc6c - - - - -] key_manager.fixed_key = **** log_opt_values /usr/lib/python2.7/site-packages/oslo_config/cfg.py:2630 /var/log/cinder/api.log:4459:2019-03-31 15:12:56.360 249523 DEBUG oslo_service.service [req-fcb2d120-9569-4d9b-a44b-e9381a05c736 - - - - -] key_manager.fixed_key = **** log_opt_values /usr/lib/python2.7/site-packages/oslo_config/cfg.py:2630 /var/log/cinder/volume.log:402:2019-03-31 14:56:00.394 125458 DEBUG oslo_service.service [req-1ec85793-7155-4d50-9909-8ebb4ca58824 - - - - -] key_manager.fixed_key = **** log_opt_values /usr/lib/python2.7/site-packages/oslo_config/cfg.py:2630 /var/log/cinder/volume.log:969:2019-03-31 15:13:35.613 252190 DEBUG oslo_service.service [req-99254f91-3c77-4a4b-89b6-33bf058b08df - - - - -] key_manager.fixed_key = **** log_opt_v As can be seen we only see ***** Lets be extra sure, look for part of the key in the logs: [root@controller-0 ~]# grep -irn 04d6b077 /var/log/cinder/ [root@controller-0 ~]# Again nothing found, looks good to verify
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:0917