So to summarize the digging done by myself/Julia/Dan:
- oslo.messaging is serializing context into the notification objects explicitly in drivers; what oslo_messaging.notify.notifier.Notifier._notify calls serialize_context
- Depending on what driver, that does different things:
-- Logging driver does not end up serializing items from context.
-- AMQP/Kafka driver *does* end up serializing items from context, including security sensitive items such as auth_token
This means any project that supports notifications via oslo.messaging, with a populated context being passed in, will be impacted by this bug.
So to summarize the digging done by myself/Julia/Dan: notify. notifier. Notifier. _notify calls serialize_context
- oslo.messaging is serializing context into the notification objects explicitly in drivers; what oslo_messaging.
- Depending on what driver, that does different things:
-- Logging driver does not end up serializing items from context.
-- AMQP/Kafka driver *does* end up serializing items from context, including security sensitive items such as auth_token
This means any project that supports notifications via oslo.messaging, with a populated context being passed in, will be impacted by this bug.