Properly log request headers in metadata API

Currently we log the request headers in the metadata API in a useless form: DEBUG nova.api.metadata.handler [None \ req-4b5eab00-e132-4551-b7f8-c80a238727a2 None None] \ Metadata request headers: <webob.headers.EnvironHeaders object \ at 0x7f2d6fdb5e90> {{(pid=9311) __call__ \ /opt/stack/nova/nova/api/metadata/handler.py:99}} This change builds a dict from the headers and then also masks any sensitive information before logging it, but only does this if debug logging is enabled. Closes-Bug: #1808879 Change-Id: I609d96293f7e77f59df3f33240f5fc4bb72470d0
2018-12-17 17:50:13 -05:00 · 2018-12-17 17:50:13 -05:00 · 454cc5c41c
parent 48ad73e1fa
commit 454cc5c41c
1 changed files with 7 additions and 1 deletions
--- a/nova/api/metadata/handler.py
+++ b/nova/api/metadata/handler.py
@ -22,6 +22,7 @@ import os
 from oslo_log import log as logging
 from oslo_utils import encodeutils
 from oslo_utils import secretutils as secutils
+from oslo_utils import strutils
 import six
 import webob.dec
 import webob.exc
@ -96,7 +97,12 @@ class MetadataRequestHandler(wsgi.Application):
            req.response.content_type = base.MIME_TYPE_TEXT_PLAIN
            return req.response

-        LOG.debug('Metadata request headers: %s', req.headers)
+        # Convert webob.headers.EnvironHeaders to a dict and mask any sensitive
+        # details from the logs.
+        if CONF.debug:
+            headers = {k: req.headers[k] for k in req.headers}
+            LOG.debug('Metadata request headers: %s',
+                      strutils.mask_dict_password(headers))
        if CONF.neutron.service_metadata_proxy:
            if req.headers.get('X-Metadata-Provider'):
                meta_data = self._handle_instance_id_request_from_lb(req)