| *** gyee has quit IRC | 00:04 | |
| *** markvoelker has joined #openstack-security | 00:50 | |
| *** ricolin has joined #openstack-security | 01:36 | |
| *** irclogbot_0 has quit IRC | 02:26 | |
| *** irclogbot_2 has joined #openstack-security | 02:30 | |
| *** batshadow has joined #openstack-security | 03:21 | |
| *** batshadow has quit IRC | 04:47 | |
| *** Luzi has joined #openstack-security | 06:02 | |
| *** tesseract has joined #openstack-security | 06:41 | |
| *** rcernin has quit IRC | 07:00 | |
| *** markvoelker has quit IRC | 07:03 | |
| *** markvoelker has joined #openstack-security | 07:03 | |
| *** pcaruana has joined #openstack-security | 07:07 | |
| *** markvoelker has quit IRC | 07:08 | |
| *** trident has quit IRC | 08:04 | |
| *** trident has joined #openstack-security | 08:05 | |
| *** markvoelker has joined #openstack-security | 09:04 | |
| *** ricolin has quit IRC | 09:15 | |
| *** markvoelker has quit IRC | 09:38 | |
| *** markvoelker has joined #openstack-security | 10:35 | |
| *** markvoelker has quit IRC | 11:08 | |
| *** dave-mccowan has joined #openstack-security | 11:33 | |
| *** markvoelker has joined #openstack-security | 11:59 | |
| *** Luzi has quit IRC | 12:54 | |
| *** dave-mccowan has quit IRC | 13:12 | |
| *** dave-mccowan has joined #openstack-security | 13:15 | |
| *** ricolin has joined #openstack-security | 13:49 | |
| *** pcaruana has quit IRC | 14:10 | |
| *** pcaruana has joined #openstack-security | 14:29 | |
| *** dave-mccowan has quit IRC | 14:52 | |
| *** dave-mccowan has joined #openstack-security | 14:53 | |
| gagehugo | security SIG meeting in ~5 minutes | 14:54 |
|---|---|---|
| *** macza has joined #openstack-security | 15:38 | |
| *** abhi89 has joined #openstack-security | 16:07 | |
| abhi89 | Hi All.. i recently observed that webob.dec is logging http request info as INFO in log files of various openstack services.. the request contains token also.. | 16:08 |
| abhi89 | we can always set the permissions of the log files to be very restrictive, but isn't it a bad practice to log the token info in log files.. its still a risk right! | 16:09 |
| *** pcaruana has quit IRC | 16:09 | |
| gagehugo | yeah, logging tokens to file isn't great | 16:10 |
| abhi89 | 2019-05-23 02:58:08.717 3466 INFO webob.dec [req-xxx 2c9 db5f1545fbxxxa57 74e00bcc61b24a9489b261d279432a57] {'self': <wsgify at 70366983656144 wrappi ng <bound method FaultWrapper.__call__ of <xx.api.middleware.fault.FaultWrapper object at 0x3fff962e3550>>>, 'args': (<function start_re sponse at 0x3fff96317500>,), 'kw': {}, 'req': {'HTTP_X_FORWARDED_SERVER': 'xx', 'SCRIPT_NAME': '/v1.0', 'REQUEST_ME THOD': 'GET', | 16:11 |
| abhi89 | 'PATH_INFO': '/server_data', 'SERVER_PROTOCOL': 'HTTP/1.0', 'QUERY_STRING': 'all_tenants=True&include_names=True', 'HTTP_X_AUTH_TOKEN ': 'gAAAAABc5kSAe6tUgRTio4xxxxxxxxxxxAErvDey5ZCiFQx6Hp8eJy-geqnI9DgJsVd7yLG4TX gm6NDXd6a0ygbiC0VhImSC-3pcm0NYxRDVIWChC4wxxxxxxOzXBpWGEBS2c2cHer_Q6t6zE6XVw-b3fWu_hgp-U5Ppj_nR6C', 'HTTP_USER_AGENT':middleware', 'HTTP_CONNECTION': 'Keep-Alive', 'REMOTE_PORT': '39356', 'SERVER_NAME': '127.0.0.1' | 16:11 |
| abhi89 | gagehugo: can something be done about this! may be a bug | 16:11 |
| *** gyee has joined #openstack-security | 16:16 | |
| gagehugo | this is on INFO right? | 16:16 |
| gagehugo | keystoneclient redacts tokens in the header: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/session.py#L168 | 16:23 |
| gagehugo | so this kinda sounds like webob | 16:23 |
| *** abhishek has joined #openstack-security | 16:32 | |
| abhishek | gagehugo: may be.. i think that INFO is getting logged from webob library itself.. but i can't find where exactly | 16:33 |
| *** abhi89 has quit IRC | 16:33 | |
| gagehugo | hmmm ok | 16:33 |
| abhishek | gagehugo: can anything be done to resolve it or we just have to live with it! | 16:36 |
| gagehugo | avoid logging INFO to file for now I would assume is a band-aid, or have something redact it | 16:37 |
| abhishek | gagehugo: yes, we can just avoid the INFO logging for webob objects.. any idea where exactly this is getting logged in code in webob? i tried to find but no luck.. | 16:41 |
| gagehugo | hmm | 16:46 |
| abhishek | i will open a LP bug for this.. we can discuss more there.. | 16:51 |
| *** ricolin has quit IRC | 16:55 | |
| *** pcaruana has joined #openstack-security | 17:00 | |
| *** abhishek has quit IRC | 18:05 | |
| *** tesseract has quit IRC | 19:05 | |
| *** pcaruana has quit IRC | 20:47 | |
| gagehugo | fungi nickthetait redrobot: https://etherpad.openstack.org/p/security-sig-newsletter from today's meeting | 20:52 |
| gagehugo | was thinking about sending it out each Friday | 20:53 |
| redrobot | gagehugo, I like it. | 20:58 |
| fungi | abhishek seems to have disappeared, but if they return i suspect webob.dec log verbosity can be adjusted with standard python logging configuration | 21:02 |
| fungi | gagehugo: you might put the vmt report section before the open bugs list, since the latter is likely to be lengthy | 21:02 |
| fungi | also, consider making it a monthly newsletter if it's going to be sparse and non-time-sensitive. might be less work overall? | 21:03 |
| fungi | but can always start out weekly and then switch to biweekly or monthly later if warranted | 21:03 |
| *** macza has quit IRC | 23:03 | |
| *** rcernin has joined #openstack-security | 23:19 | |
| *** batshadow has joined #openstack-security | 23:25 | |
| *** batshadow has quit IRC | 23:39 | |
| *** trident has quit IRC | 23:51 | |
| *** trident has joined #openstack-security | 23:53 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!