When dscreate is executed in verbose mode, it prints Directory Manager's password to stderr. The same happens with dsconf when I change the password.
389-ds-base-1.4.0.19-2.
$ dscreate -v interactive ... DEBUG: cn=config set REPLACE: ('nsslapd-rootpw', 'Directory_Manager_Password') $ dsconf -v localhost directory_manager password_change ... Enter new directory manager password : CONFIRM - Enter new directory manager password : DEBUG: cn=config set REPLACE: ('nsslapd-rootpw', 'new_password')
Actual value should not be printed in the debug logs. Python logging module supports filters that should be used to redact sensitive information from the logs
Metadata Update from @mhonek: - Custom field origin adjusted to QE - Custom field reviewstatus adjusted to None - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1654059
So I think a way to fix this could be in DSLdapObject inside the set function, we can say "if field in <sensitive dataset>" then we display * instead - but in DEBUGGING=True maybe we still display it?
I'm thinking of having a class variable DSLdapObject._sensitive_attributes: List[str] and using it wherever required (for now in DSLdapObject.set()). And yes, DEBUGGING=True should override this.
DSLdapObject._sensitive_attributes: List[str]
DSLdapObject.set()
DEBUGGING=True
@mhonek I think this seems like a good approach. I would have done the same, have a class variable of that signature, and then to use it to filter or replace the content with **** or similar.
Metadata Update from @mreynolds: - Issue assigned to mreynolds (was: mhonek)
https://pagure.io/389-ds-base/pull-request/50366
Please review...
Metadata Update from @mreynolds: - Custom field reviewstatus adjusted to review (was: None)
One thing I thought I put down but seemingly haven't, was that in the simplest implementation case, we should have a method, e.g. DSLdapObject.display_attr_value(attr, value, hide_sensitive=True) that would handle the displaying and would be used where necessary; that in order to have consistent behaviour across our library. Something like...
DSLdapObject.display_attr_value(attr, value, hide_sensitive=True)
def display_attr_value(self, attr, value, hide_sesitive=True): if DEBUGGING or hide_sensitive: return value else: if attr.lower() in self._sensitive_attributes: return '********' else: return value
@mhonek Another option is to wrap / over-load the str/unicode method on the str we return. But that could be complex ....
commit 632ecb9
64a784f..1bb8882 389-ds-base-1.4.0 -> 389-ds-base-1.4.0
Metadata Update from @mreynolds: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/3310
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: fixed)
Log in to comment on this ticket.