vault: Hide values used for authentication

The following options are used for authentication with Vault, so should
be hidden from logs.

1) root_token_id
This is not actually an id but a token string

2) approle_role_id and approle_secret_id
These are used together to obtain token

Closes-Bug: #2058397
Change-Id: I0650fd12e3f51fc4d829e0be3ab95cd8b3ee03ea
This commit is contained in:
Takashi Kajinami 2024-03-20 00:24:17 +09:00
parent b6edfda344
commit 82e1782b39

View File

@ -28,10 +28,13 @@ DEFAULT_MOUNTPOINT = "secret"
vault_opt_group = cfg.OptGroup(name='vault_plugin', title='Vault Plugin') vault_opt_group = cfg.OptGroup(name='vault_plugin', title='Vault Plugin')
vault_opts = [ vault_opts = [
cfg.StrOpt('root_token_id', cfg.StrOpt('root_token_id',
secret=True,
help='root token for vault'), help='root token for vault'),
cfg.StrOpt('approle_role_id', cfg.StrOpt('approle_role_id',
secret=True,
help='AppRole role_id for authentication with vault'), help='AppRole role_id for authentication with vault'),
cfg.StrOpt('approle_secret_id', cfg.StrOpt('approle_secret_id',
secret=True,
help='AppRole secret_id for authentication with vault'), help='AppRole secret_id for authentication with vault'),
cfg.StrOpt('kv_mountpoint', cfg.StrOpt('kv_mountpoint',
default=DEFAULT_MOUNTPOINT, default=DEFAULT_MOUNTPOINT,