diff --git a/os_brick/__init__.py b/os_brick/__init__.py index 602a8ccae..e939cd3b9 100644 --- a/os_brick/__init__.py +++ b/os_brick/__init__.py @@ -17,6 +17,8 @@ from os_brick import opts LOG = logging.getLogger(__name__) +SECURE_LOG = logging.getLogger('brick-privsep-hide-output') +SECURE_LOG.setLevel(logging.ERROR) def setup(conf, **kwargs): diff --git a/os_brick/privileged/__init__.py b/os_brick/privileged/__init__.py index 4fc348c75..cf3513dcb 100644 --- a/os_brick/privileged/__init__.py +++ b/os_brick/privileged/__init__.py @@ -33,3 +33,11 @@ default = priv_context.PrivContext( capabilities=capabilities, logger_name=__name__, ) + +brick_privsep_hide_output = priv_context.PrivContext( + __name__, + cfg_section='privsep_osbrick', + pypath=__name__ + '.default', + capabilities=capabilities, + logger_name='brick_privsep_hide_output', +) diff --git a/os_brick/privileged/scaleio.py b/os_brick/privileged/scaleio.py index 4b619b45f..15969e939 100644 --- a/os_brick/privileged/scaleio.py +++ b/os_brick/privileged/scaleio.py @@ -74,7 +74,7 @@ def rescan_vols(op_code): ioctl(fd, op_code, struct.pack('Q', 0)) -@privileged.default.entrypoint +@privileged.brick_privsep_hide_output.entrypoint def get_connector_password(filename, config_group, failed_over): """Read ScaleIO connector configuration file and get appropriate password. diff --git a/releasenotes/notes/bug-2003179-44a6c90dd17c88f7.yaml b/releasenotes/notes/bug-2003179-44a6c90dd17c88f7.yaml new file mode 100644 index 000000000..a1f3f7334 --- /dev/null +++ b/releasenotes/notes/bug-2003179-44a6c90dd17c88f7.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + `Bug #2003179 `_: Fixed + issue with the ScaleIO connector where privsep was logging + password in plaintext. This was fixed by creating a new logger for the + ScaleIO connector with default log level set to ERROR.