Bug #62095
openceph/rgw beast logs expose user secret keys
0%
Description
When a user is created/modified or his access/secret key pairs are created or modified through admin API, the whole URI that contains the secret key is faithfully logged out. This behavior creates a potential security risk since anyone who has access to these logs would gain access of those users' bucket content.
For example:
2023-07-19T12:42:02.359-0400 7fe12f6ae700 1 beast: 0x7fe2ad6db970: 127.0.0.1 - repuser [19/Jul/2023:12:42:02.326 -0400] "PUT /admin/user?format=json&uid=test_user7&display-name=Test%20User7&email=tuser7@linode-test.comx%x%key-type=s3&access-key=123456&secret-key=098765&user-caps=usage=read,write;%20users=read&generate-key=False&suspended=False HTTP/1.1" 200 673 - "python-requests/2.31.0" - latency=0.033000052s
No data to display