From cd1a412408f068aeef97c1ee368400307fce7733 Mon Sep 17 00:00:00 2001 From: Matt Riedemann Date: Wed, 5 Oct 2016 21:11:16 -0400 Subject: [PATCH] Mask passwords in debug logs for auth_config_hook The auth config hook can have credentials in it so we have to mask the config before logging it. To avoid doing the work of masking the password if we aren't going to log it, there is a conditional put around the actual debug statement. Change-Id: I8e626672ec94fc837610216bccb4354dbdedca17 Closes-Bug: #1630822 --- openstackclient/common/client_config.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/openstackclient/common/client_config.py b/openstackclient/common/client_config.py index 30286df8af..d6297753b4 100644 --- a/openstackclient/common/client_config.py +++ b/openstackclient/common/client_config.py @@ -17,6 +17,8 @@ import logging from os_client_config import config from os_client_config import exceptions as occ_exceptions +from oslo_utils import strutils +import six LOG = logging.getLogger(__name__) @@ -180,7 +182,9 @@ class OSC_Config(config.OpenStackConfig): config = self._auth_v2_ignore_v3(config) config = self._auth_default_domain(config) - LOG.debug("auth_config_hook(): %s" % config) + if LOG.isEnabledFor(logging.DEBUG): + LOG.debug("auth_config_hook(): %s", + strutils.mask_password(six.text_type(config))) return config def load_auth_plugin(self, config):