Hide credentials in contexts from logs

Do not record the full context values in plain format, because these may contain sensitive values such as request token. Use the generic mask feature to detect potentially sensitive fields and replace raw values by '***'. Story: 2011523 Task: 52787 Change-Id: Ic997d36ec188b390473437c874085ef9a8c41f2f Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
2025-09-12 10:13:44 +09:00
parent 4466ea82d0
commit 56af015563
2 changed files with 16 additions and 5 deletions
--- a/cloudkitty/common/policy.py
+++ b/cloudkitty/common/policy.py
@@ -22,6 +22,7 @@ from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_policy import policy
 from oslo_utils import excutils
+from oslo_utils import strutils

 from cloudkitty.common import policies

@@ -102,8 +103,9 @@ def authorize(context, action, target):
    init()

    try:
-        LOG.debug('Authenticating user with credentials %(credentials)s',
-                  {'credentials': context.to_dict()})
+        LOG.debug(
+            'Authenticating user with credentials %(credentials)s',
+            {'credentials': strutils.mask_dict_password(context.to_dict())})
        return _ENFORCER.authorize(action, target, context,
                                   do_raise=True,
                                   exc=PolicyNotAuthorized,
@@ -114,9 +116,12 @@ def authorize(context, action, target):
            LOG.exception('Policy not registered')
    except Exception:
        with excutils.save_and_reraise_exception():
-            LOG.error('Policy check for %(action)s failed with credentials '
-                      '%(credentials)s',
-                      {'action': action, 'credentials': context.to_dict()})
+            LOG.error(
+                'Policy check for %(action)s failed with credentials '
+                '%(credentials)s', {
+                    'action': action,
+                    'credentials': strutils.mask_dict_password(
+                        context.to_dict())})


 def check_is_admin(context):
--- a/releasenotes/notes/hide-token-from-log-e29066d6c93f3ed4.yaml
+++ b/releasenotes/notes/hide-token-from-log-e29066d6c93f3ed4.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Previously, cloudkitty-api recorded request token in plain text format when
+    a request does not comply with policy rules or debug log is enabled. This
+    has been fixed and now token is masked in logs.