I have tried below approach which is similar to what Morgan has suggested.
By adding a custom filter in oslo logger and passing that logger from masakari to python-novaclient while creating it's object I am able to mask the required sensitive information in keystoneauth.
Below are the steps:
1] I have added custom PasswordMaskingFilter in oslo_log/log.py.
This filter masks the sensitive information using oslo_utils "strutils.mask_password" method.
I have added this filter to the oslo logger which we get by calling "getLogger" method of
oslo_log/log.py module.
+class PasswordMaskingFilter(logging.Filter):
+ """Demonstrate how to filter sensitive data:"""
+
+ def filter(self, record):
+ # The call signature matches string interpolation: args can be a tuple
+ # or a lone dict
+
+ # Use oslo_utils password masking method to sanitize data
+ record.msg = strutils.mask_password(record.msg)
+ return True
+
+
def getLogger(name=None, project='unknown', version='unknown'):
"""Build a logger with the given name.
@@ -442,7 +454,9 @@ def getLogger(name=None, project='unknown', version='unknown'):
if name and name.startswith('oslo_'):
name = 'oslo.' + name[5:]
if name not in _loggers:
- _loggers[name] = KeywordArgumentAdapter(logging.getLogger(name),
+ masking_logger = logging.getLogger(name)
+ masking_logger.addFilter(PasswordMaskingFilter())
+ _loggers[name] = KeywordArgumentAdapter(masking_logger, {'project': project, 'version': version})
[2] Used this oslo_logger in masakari while creating novaclient:
The above "LOG" variable is of oslo_logger itself.
The disadvantage of this solution is it checks every log message for certain password fields further degrading the performance.
We should pass some info in the log message indicating there is a need to mask the password fields.
Please let me know your opinion about this and also any other solution you have.
Hi all,
I have tried below approach which is similar to what Morgan has suggested.
By adding a custom filter in oslo logger and passing that logger from masakari to python-novaclient while creating it's object I am able to mask the required sensitive information in keystoneauth.
Below are the steps:
1] I have added custom PasswordMasking Filter in oslo_log/log.py. mask_password" method.
This filter masks the sensitive information using oslo_utils "strutils.
I have added this filter to the oslo logger which we get by calling "getLogger" method of
oslo_log/log.py module.
diff --git a/oslo_log/log.py b/oslo_log/log.py
index 827a57d..16aade6 100644
--- a/oslo_log/log.py
+++ b/oslo_log/log.py
@@ -40,6 +40,7 @@ except ImportError:
from oslo_config import cfg
from oslo_utils import importutils
+from oslo_utils import strutils
import six
from six import moves
@@ -421,6 +422,17 @@ def get_loggers():
return _loggers.copy()
+class PasswordMasking Filter( logging. Filter) : mask_password( record. msg) name=None, project='unknown', version='unknown'):
+ """Demonstrate how to filter sensitive data:"""
+
+ def filter(self, record):
+ # The call signature matches string interpolation: args can be a tuple
+ # or a lone dict
+
+ # Use oslo_utils password masking method to sanitize data
+ record.msg = strutils.
+ return True
+
+
def getLogger(
"""Build a logger with the given name.
@@ -442,7 +454,9 @@ def getLogger( name=None, project='unknown', version='unknown'): ('oslo_ '): Adapter( logging. getLogger( name), getLogger( name) logger. addFilter( PasswordMasking Filter( )) Adapter( masking_ logger,
{'project' : project,
'version' : version})
if name and name.startswith
name = 'oslo.' + name[5:]
if name not in _loggers:
- _loggers[name] = KeywordArgument
+ masking_logger = logging.
+ masking_
+ _loggers[name] = KeywordArgument
[2] Used this oslo_logger in masakari while creating novaclient:
diff --git a/masakari/ compute/ nova.py b/masakari/ compute/ nova.py compute/ nova.py compute/ nova.py
region_ name=CONF. os_region_ name,
endpoint_ type=endpoint_ type,
cacert= CONF.nova_ ca_certificates _file, nova_extensions ) nova_extensions ,
index 56a12c6..830c5a5 100644
--- a/masakari/
+++ b/masakari/
@@ -119,7 +119,8 @@ def novaclient(context, timeout=None):
- extensions=
+ extensions=
+ logger=LOG)
The above "LOG" variable is of oslo_logger itself.
The disadvantage of this solution is it checks every log message for certain password fields further degrading the performance.
We should pass some info in the log message indicating there is a need to mask the password fields.
Please let me know your opinion about this and also any other solution you have.