From 81a838cc24da73e86e2cc85e06b21265fb960875 Mon Sep 17 00:00:00 2001 From: Abhishek Kekane Date: Tue, 11 Nov 2025 17:10:52 +0000 Subject: [PATCH] s3: Do not log access keys Recent credential change for s3 has introduced one debug log which can leak access information of s3 store. This change avoids logging URI in the log. Closes-Bug: #2131085 Change-Id: I1e7fe0720581dfa815b5e0cd2b01379cab2a5f33 Signed-off-by: Abhishek Kekane --- glance/common/store_utils.py | 4 ++-- glance/tests/unit/common/test_utils.py | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/glance/common/store_utils.py b/glance/common/store_utils.py index d592e36c54..57f417d62f 100644 --- a/glance/common/store_utils.py +++ b/glance/common/store_utils.py @@ -301,8 +301,8 @@ def _update_s3_location_and_store_id(context, loc): location_map = store_api.location.SCHEME_TO_CLS_BACKEND_MAP if scheme not in location_map: - LOG.debug("Unknown scheme '%(scheme)s' found in uri '%(uri)s'", - {'scheme': scheme, 'uri': uri}) + LOG.debug("Unknown scheme '%(scheme)s' found in uri", + {'scheme': scheme}) return False # URL format: s3://key:secret@host/bucket/object diff --git a/glance/tests/unit/common/test_utils.py b/glance/tests/unit/common/test_utils.py index 02a4d3b3ea..5b70d80c96 100644 --- a/glance/tests/unit/common/test_utils.py +++ b/glance/tests/unit/common/test_utils.py @@ -1208,9 +1208,10 @@ class S3CredentialUpdateTestCase(test_utils.BaseTestCase): # URL should remain unchanged self.assertEqual(location['url'], original_url) # Verify that the debug log was called for unknown scheme + # Note: URI is not logged for S3 schemes to avoid credential exposure mock_log.debug.assert_called_once_with( - "Unknown scheme '%(scheme)s' found in uri '%(uri)s'", - {'scheme': 's3', 'uri': 's3://key:secret@bucket/object'}) + "Unknown scheme '%(scheme)s' found in uri", + {'scheme': 's3'}) @mock.patch('glance.common.store_utils.store_api') @mock.patch('glance.common.store_utils.CONF')