The ceilometer-agent-central is always writing the contents of polling.yaml to its log file (and as INFO) [1]
This presents a security risk if e.g. resources contain sensitive information like when specifying snmp targets with the url containing the username, password etc.
There are a couple of ways we could solve this, namely; (1) don't log this info at all, (2) sanitise the contents prior to logging as DEBUG (3) switch to using config for the snmp credentials in a similar way to how the Triple0Discoverer does it [2] - this would only support having the same creds everywhere thought which may not be desirable.
The ceilometer- agent-central is always writing the contents of polling.yaml to its log file (and as INFO) [1]
This presents a security risk if e.g. resources contain sensitive information like when specifying snmp targets with the url containing the username, password etc.
There are a couple of ways we could solve this, namely; (1) don't log this info at all, (2) sanitise the contents prior to logging as DEBUG (3) switch to using config for the snmp credentials in a similar way to how the Triple0Discoverer does it [2] - this would only support having the same creds everywhere thought which may not be desirable.
[1] https:/ /github. com/openstack/ ceilometer/ blob/stable/ rocky/ceilomete r/agent. py#L70 /github. com/openstack/ ceilometer/ blob/stable/ rocky/ceilomete r/hardware/ discovery. py#L24
[2] https:/