Do not default pecan_debug to CONF.debug

Pecan's debug mode can be terribly insecure; 500 errors return a
Python traceback, the full list of environment variables, and a
button to replay the request with a breakpoint.

Deployers often run OpenStack services in debug mode; doing so should
not open the service up to these flaws. Defaulting pecan_debug to
CONF.debug makes this easy to accidentally do. So, default it to False
rather than riding on top of CONF.debug.

Change-Id: I70f9c9807d16aa50df4d5e16ba2a29575f8b165e
Closes-Bug: #1425206
DocImpact

ceilometer/api/app.py

@@ -46,9 +46,8 @@ OPTS = [
 
 API_OPTS = [
     cfg.BoolOpt('pecan_debug',
-                help='Toggle Pecan Debug Middleware. '
-                'If it is not set, global debug value will be used.'
-                ),
+                default=False,
+                help='Toggle Pecan Debug Middleware.'),
 ]
 
 CONF.register_opts(OPTS)
@@ -78,8 +77,6 @@ def setup_app(pecan_config=None, extra_hooks=None):
 
     pecan.configuration.set_config(dict(pecan_config), overwrite=True)
 
-    cfg.set_defaults(API_OPTS, pecan_debug=CONF.debug)
-
     # NOTE(sileht): pecan debug won't work in multi-process environment
     pecan_debug = CONF.api.pecan_debug
     if service.get_workers('api') != 1 and pecan_debug:

ceilometer/tests/api/test_app.py

@@ -50,7 +50,7 @@ class TestApp(base.BaseTestCase):
             self.assertEqual(expected, kwargs.get('debug'))
 
         _check_pecan_debug(g_debug=False, p_debug=None, expected=False)
-        _check_pecan_debug(g_debug=True, p_debug=None, expected=True)
+        _check_pecan_debug(g_debug=True, p_debug=None, expected=False)
         _check_pecan_debug(g_debug=True, p_debug=False, expected=False)
         _check_pecan_debug(g_debug=False, p_debug=True, expected=True)
         _check_pecan_debug(g_debug=True, p_debug=None, expected=False,