eadc1341cc
Any python logging messages generated on the privileged side (that exceed the python logging level) are sent to the unprivileged side, where the actual write to the regular oslo.log logger occurs. Before, those priv->unpriv logging messages were dumb lines written to stderr. This meant the original severity level was lost, and the unpriv side made the arbitrary/conservative choice to always log them at WARNING. With this change, those priv->unpriv logging messages are sent down the regular priv<->unpriv communication channel using a new "out of band" mechanism. The messages now include the original severity level, which the unpriv side now honours. And there was much rejoicing. Any lines that *do* end up on stderr (using the exec method) will continue to be logged at WARNING, since these will most likely be "privsep-helper command not found" or similarly important. Change-Id: Ifc63aedbec4ababefd2138cb73b348e2698db4ad Closes-Bug: #1593743
oslo.privsep
OpenStack library for privilege separation
This library helps applications perform actions which require more or less privileges than they were started with in a safe, easy to code and easy to use manner. For more information on why this is generally a good idea please read over the principle of least privilege and the specification which created this library.
- Free software: Apache license
- Documentation: http://docs.openstack.org/developer/oslo.privsep
- Source: http://git.openstack.org/cgit/openstack/oslo.privsep
- Bugs: http://bugs.launchpad.net/oslo.privsep