qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gordon Sim (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-5772) Security: after open debug log for qpid, python qpid driver will print all information including sensitive data
Date Mon, 23 Jun 2014 08:07:24 GMT

    [ https://issues.apache.org/jira/browse/QPID-5772?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14040507#comment-14040507
] 

Gordon Sim commented on QPID-5772:
----------------------------------

There are three log 'categories' (i.e. different Logger instances used): qpid.messaging, qpid.messaging.io.ops
and qpid.messaging.io.raw and you can control these independently. So one option is not to
log at debug for qpid.messaging.io, which still allows the qpid.messaging log entries to be
enabled at DEBUG levelif desired.

If you must have the io logs enabled, and want to only omit certain details from them, you
could write a filter for that (https://docs.python.org/2/library/logging.html#logging.Filter).
Note that it is not actually messages that are logged (i.e. not instance of Message) but various
protocol 'frames' or 'commands'.

> Security: after open debug log for qpid, python qpid driver will print all information
including sensitive data
> ---------------------------------------------------------------------------------------------------------------
>
>                 Key: QPID-5772
>                 URL: https://issues.apache.org/jira/browse/QPID-5772
>             Project: Qpid
>          Issue Type: Bug
>          Components: Python Client
>            Reporter: zhu zhu
>              Labels: debuglog, security,
>
> For example, logs as below. 
> Is it possible to have Qpid to provide options/configurations to NOT print certain credential
fieds in the debug logs? It will benefit product security that are adopting QPID as amqp implementation.
 
> Such as messaging/driver.py writeable, write method
> rawlog.debug("SENT[%s]: %r", self.log_id, sent)
> opslog.debug("RCVD[%s]: %r", self.log_id, op)
> opslog.debug("SENT[%s]: %r", self.log_id, op)
> log.debug("RACK[%s]: %s", sst.session.log_id, msg)
> ...
>  
> 2014-05-15 04:07:07.756 19781 DEBUG qpid.messaging [-] SENT[3ae25a8]: Message(ttl=60,
properties={'qpid.subject': 'topic/nova/conductor'}, content={'oslo.message': '{"_context_roles":
["_member_", "admin"], "_msg_id": "7216c147b92048b38a779e0a37506edf", "_context_quota_class":
null, "_context_request_id": "req-4e6960a0-89e2-410b-b67c-2fcda1b526e2", "_context_service_catalog":
[{"endpoints_links": [], "endpoints": [{"adminURL": "http://9.123.137.154:8776/v1/c33546258c0a4733aa8eb56418df6438",
"region": "RegionOne", "publicURL": "http://9.123.137.154:8776/v1/c33546258c0a4733aa8eb56418df6438",
"internalURL": "http://9.123.137.154:8776/v1/c33546258c0a4733aa8eb56418df6438", "id": "165be0534de5425daed4ee40da0d2f47"}],
"type": "volume", "name": "cinder"}], "args": {"values": {"instance_uuid": "0b39e666-aa4e-4f54-89f8-2bc0f5d86e89",
"start_time": "2014-05-15T09:07:07.750051", "event": "compute_terminate_instance", "request_id":
"req-4e6960a0-89e2-410b-b67c-2fcda1b526e2"}}, "_unique_id": "e7392f1384134643bba0966088fcdaad",
"_context_user": "f36557892ea44962b8b6e9f1897f2605", "_context_user_id": "f36557892ea44962b8b6e9f1897f2605",
"_context_project_name": "service", "_context_read_deleted": "no", "_reply_q": "reply_02768c332dd445d79ce253efd75b32b8",
"_context_auth_token": "202cdaf88b284afeafbbc77dc10f9058", "_context_tenant": "c33546258c0a4733aa8eb56418df6438",
"_context_instance_lock_checked": false, "_context_is_admin": true, "version": "2.0", "_context_project_id":
"c33546258c0a4733aa8eb56418df6438", "_context_timestamp": "2014-05-15T09:07:07.482164", "_context_user_name":
"admin", "method": "action_event_start", "_context_remote_address": "9.123.137.154"}', 'oslo.version':
'2.0'}) send /usr/lib/python2.6/site-packages/qpid/messaging/driver.py:1283



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message