From 5870f9534f5925d35b559721a3d64e9a9fe34c80 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Fri, 12 Sep 2025 10:13:44 +0900 Subject: [PATCH 1/2] Hide credentials in contexts from logs Do not record the full context values in plain format, because these may contain sensitive values such as request token. Use the generic mask feature to detect potentially sensitive fields and replace raw values by '***'. Story: 2011523 Task: 52787 Change-Id: Ic997d36ec188b390473437c874085ef9a8c41f2f Signed-off-by: Takashi Kajinami (cherry picked from commit 56af0155632a3a962a8bd3e04cc0cd249ab5be54) --- cloudkitty/common/policy.py | 15 ++++++++++----- .../hide-token-from-log-e29066d6c93f3ed4.yaml | 6 ++++++ 2 files changed, 16 insertions(+), 5 deletions(-) create mode 100644 releasenotes/notes/hide-token-from-log-e29066d6c93f3ed4.yaml diff --git a/cloudkitty/common/policy.py b/cloudkitty/common/policy.py index 9d55e1f8..0aac973b 100644 --- a/cloudkitty/common/policy.py +++ b/cloudkitty/common/policy.py @@ -23,6 +23,7 @@ from oslo_policy import opts as policy_opts from oslo_policy import policy from oslo_utils import excutils +from oslo_utils import strutils from cloudkitty.common import policies @@ -108,8 +109,9 @@ def authorize(context, action, target): init() try: - LOG.debug('Authenticating user with credentials %(credentials)s', - {'credentials': context.to_dict()}) + LOG.debug( + 'Authenticating user with credentials %(credentials)s', + {'credentials': strutils.mask_dict_password(context.to_dict())}) return _ENFORCER.authorize(action, target, context, do_raise=True, exc=PolicyNotAuthorized, @@ -120,9 +122,12 @@ def authorize(context, action, target): LOG.exception('Policy not registered') except Exception: with excutils.save_and_reraise_exception(): - LOG.error('Policy check for %(action)s failed with credentials ' - '%(credentials)s', - {'action': action, 'credentials': context.to_dict()}) + LOG.error( + 'Policy check for %(action)s failed with credentials ' + '%(credentials)s', { + 'action': action, + 'credentials': strutils.mask_dict_password( + context.to_dict())}) def check_is_admin(context): diff --git a/releasenotes/notes/hide-token-from-log-e29066d6c93f3ed4.yaml b/releasenotes/notes/hide-token-from-log-e29066d6c93f3ed4.yaml new file mode 100644 index 00000000..2e78c723 --- /dev/null +++ b/releasenotes/notes/hide-token-from-log-e29066d6c93f3ed4.yaml @@ -0,0 +1,6 @@ +--- +security: + - | + Previously, cloudkitty-api recorded request token in plain text format when + a request does not comply with policy rules or debug log is enabled. This + has been fixed and now token is masked in logs. From 0f3fde50ab45225e7c9cfe34a2feda55647b6bdc Mon Sep 17 00:00:00 2001 From: OpenStack Release Bot Date: Fri, 31 Oct 2025 11:37:08 +0000 Subject: [PATCH 2/2] Update .gitreview for unmaintained/2024.1 Change-Id: Ia86e424ff300111f3cf6f2c9db815feb07ea0a27 Signed-off-by: OpenStack Release Bot Generated-By: openstack/project-config:roles/copy-release-tools-scripts/files/release-tools/functions --- .gitreview | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitreview b/.gitreview index da5282e5..c630ffa8 100644 --- a/.gitreview +++ b/.gitreview @@ -2,4 +2,4 @@ host=review.opendev.org port=29418 project=openstack/cloudkitty.git -defaultbranch=stable/2024.1 +defaultbranch=unmaintained/2024.1