Limit logged headers in proxy_logging middleware

Currently all headers are logged if access_log_headers are enabled in
proxy_logging middleware. By adding the option access_log_headers_only
it is now possible to limit the logged headers to the given header values.

DocImpact
Change-Id: I0a1e40567c9eddc9bb00dd00373dc6eeb33d347c

etc/proxy-server.conf-sample

@@ -466,6 +466,11 @@ use = egg:swift#proxy_logging
 # access_log_statsd_metric_prefix =
 # access_log_headers = false
 #
+# If access_log_headers is True and access_log_headers_only is set only
+# these headers are logged. Multiple headers can be defined as comma separated
+# list like this: access_log_headers_only = Host, X-Object-Meta-Mtime
+# access_log_headers_only =
+#
 # By default, the X-Auth-Token is logged. To obscure the value,
 # set reveal_sensitive_prefix to the number of characters to log.
 # For example, if set to 12, only the first 12 characters of the

swift/common/middleware/proxy_logging.py

@@ -77,7 +77,7 @@ from urllib import quote, unquote
 from swift.common.swob import Request
 from swift.common.utils import (get_logger, get_remote_client,
                                 get_valid_utf8_str, config_true_value,
-                                InputProxy)
+                                InputProxy, list_from_csv)
 from swift.common.constraints import MAX_HEADER_SIZE
 
 QUOTE_SAFE = '/:'
@@ -93,6 +93,10 @@ class ProxyLoggingMiddleware(object):
         self.log_hdrs = config_true_value(conf.get(
             'access_log_headers',
             conf.get('log_headers', 'no')))
+        log_hdrs_only = list_from_csv(conf.get(
+            'access_log_headers_only', ''))
+        self.log_hdrs_only = [x.title() for x in log_hdrs_only]
+
         # The leading access_* check is in case someone assumes that
         # log_statsd_valid_http_methods behaves like the other log_statsd_*
         # settings.
@@ -151,8 +155,14 @@ class ProxyLoggingMiddleware(object):
             the_request = the_request + '?' + req.query_string
         logged_headers = None
         if self.log_hdrs:
-            logged_headers = '\n'.join('%s: %s' % (k, v)
+            if self.log_hdrs_only:
-                                       for k, v in req.headers.items())
+                logged_headers = '\n'.join('%s: %s' % (k, v)
+                                           for k, v in req.headers.items()
+                                           if k in self.log_hdrs_only)
+            else:
+                logged_headers = '\n'.join('%s: %s' % (k, v)
+                                           for k, v in req.headers.items())
+
         method = self.method_from_req(req)
         end_gmtime_str = time.strftime('%d/%b/%Y/%H/%M/%S',
                                        time.gmtime(end_time))

test/unit/common/middleware/test_proxy_logging.py

@@ -343,6 +343,26 @@ class TestProxyLogging(unittest.TestCase):
             headers = unquote(log_parts[14]).split('\n')
             self.assert_('Host: localhost:80' in headers)
 
+    def test_access_log_headers_only(self):
+        app = proxy_logging.ProxyLoggingMiddleware(
+            FakeApp(), {'log_headers': 'yes',
+                        'access_log_headers_only': 'FIRST, seCond'})
+        app.access_logger = FakeLogger()
+        req = Request.blank('/',
+                            environ={'REQUEST_METHOD': 'GET'},
+                            headers={'First': '1',
+                                     'Second': '2',
+                                     'Third': '3'})
+        resp = app(req.environ, start_response)
+        # exhaust generator
+        [x for x in resp]
+        log_parts = self._log_parts(app)
+        headers = unquote(log_parts[14]).split('\n')
+        self.assert_('First: 1' in headers)
+        self.assert_('Second: 2' in headers)
+        self.assert_('Third: 3' not in headers)
+        self.assert_('Host: localhost:80' not in headers)
+
     def test_upload_size(self):
         app = proxy_logging.ProxyLoggingMiddleware(FakeApp(),
                                                    {'log_headers': 'yes'})