Hide credentials in contexts from logs

kajinamit · priteau · commit 23707a39ea61 · 2025-09-13T10:12:24.000Z
Do not record the full context values in plain format, because these may contain sensitive values such as request token. Use the generic mask feature to detect potentially sensitive fields and replace raw values by '***'. Story: 2011523 Task: 52787 Change-Id: Ic997d36ec188b390473437c874085ef9a8c41f2f Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com> (cherry picked from commit 56af015)
diff --git a/cloudkitty/common/policy.py b/cloudkitty/common/policy.py
@@ -23,6 +23,7 @@
 from oslo_policy import opts as policy_opts
 from oslo_policy import policy
 from oslo_utils import excutils
+from oslo_utils import strutils
 
 from cloudkitty.common import policies
 
@@ -108,8 +109,9 @@ def authorize(context, action, target):
     init()
 
     try:
-        LOG.debug('Authenticating user with credentials %(credentials)s',
-                  {'credentials': context.to_dict()})
+        LOG.debug(
+            'Authenticating user with credentials %(credentials)s',
+            {'credentials': strutils.mask_dict_password(context.to_dict())})
         return _ENFORCER.authorize(action, target, context,
                                    do_raise=True,
                                    exc=PolicyNotAuthorized,
@@ -120,9 +122,12 @@ def authorize(context, action, target):
             LOG.exception('Policy not registered')
     except Exception:
         with excutils.save_and_reraise_exception():
-            LOG.error('Policy check for %(action)s failed with credentials '
-                      '%(credentials)s',
-                      {'action': action, 'credentials': context.to_dict()})
+            LOG.error(
+                'Policy check for %(action)s failed with credentials '
+                '%(credentials)s', {
+                    'action': action,
+                    'credentials': strutils.mask_dict_password(
+                        context.to_dict())})
 
 
 def check_is_admin(context):
diff --git a/releasenotes/notes/hide-token-from-log-e29066d6c93f3ed4.yaml b/releasenotes/notes/hide-token-from-log-e29066d6c93f3ed4.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Previously, cloudkitty-api recorded request token in plain text format when
+    a request does not comply with policy rules or debug log is enabled. This
+    has been fixed and now token is masked in logs.
