From 2902a7bcd6b839525a632b0102c5589d2e50f0c8 Mon Sep 17 00:00:00 2001 From: Ken'ichi Ohmichi Date: Sat, 14 Jul 2018 02:31:03 +0000 Subject: [PATCH] Omit X-Subject-Token from log I213585e691f58e380a4be463b493591f1449422e has omitted x-subject-token from response log, but clients specify the same token on a request header on Keystone API and that is output on the log. Actually the following log is output at the gate: http://logs.openstack.org/62/581162/2/check/tempest-full/835acee/controller/logs/tempest_log.txt 2018-07-10 00:44:36.563 23617 DEBUG tempest.lib.common.rest_client [req-20615e7c-76b6-4f6a-84c2-d3489a755000 ] Request - Headers: {'X-Subject-Token': 'gAAAAABbRAF0Lv0N7i4o-5hPjcI ZYXXKt1cxoo5FPUP_ukWuY_6_-4 S8oRXOkTfgReg0G9GT87Qiw4Gbd..', 'X-Auth-Token': ''} Body: None Response - Headers: {u'content-type': 'application/json', u'x-subject-token': '', .., 'status': '200'} Body: _log_request_full tempest/lib/common/rest_client.py:434 This makes the log omitted as the same reason. Change-Id: Iedd36f8feb9784553559ed5c79e7be2012d675f5 --- .../omit_X-Subject-Token_from_log-1bf5fef88c80334b.yaml | 7 +++++++ tempest/lib/common/rest_client.py | 2 ++ 2 files changed, 9 insertions(+) create mode 100644 releasenotes/notes/omit_X-Subject-Token_from_log-1bf5fef88c80334b.yaml diff --git a/releasenotes/notes/omit_X-Subject-Token_from_log-1bf5fef88c80334b.yaml b/releasenotes/notes/omit_X-Subject-Token_from_log-1bf5fef88c80334b.yaml new file mode 100644 index 0000000000..51c8f79e00 --- /dev/null +++ b/releasenotes/notes/omit_X-Subject-Token_from_log-1bf5fef88c80334b.yaml @@ -0,0 +1,7 @@ +--- +security: + - | + The x-subject-token of a response header is ommitted from log, + but clients specify the same token on a request header on + Keystone API and that was not omitted. In this release, + that has been omitted for a security reason. diff --git a/tempest/lib/common/rest_client.py b/tempest/lib/common/rest_client.py index 22276d4d4f..bc9cfe22ea 100644 --- a/tempest/lib/common/rest_client.py +++ b/tempest/lib/common/rest_client.py @@ -416,6 +416,8 @@ class RestClient(object): resp_body=None, extra=None): if 'X-Auth-Token' in req_headers: req_headers['X-Auth-Token'] = '' + if 'X-Subject-Token' in req_headers: + req_headers['X-Subject-Token'] = '' # A shallow copy is sufficient resp_log = resp.copy() if 'x-subject-token' in resp_log: