Bug #41320
Updated by Sebastian Wagner over 4 years ago
Currently dashboard is storing in plain text logs the following sentitive information: - -Dashboard Dashboard user names, passwords and roles.- -> handled in #37503 roles. > -log_channel(audit) log_channel(audit) log [DBG] : from='client.4126 -' entity='client.admin' cmd=[{"username": "admin", "rolename": "administrator", "prefix": "dashboard ac-user-create", "password": "admin"}]- "admin"}] - RGW API keys: > cmd=[{"prefix": "dashboard set-rgw-api-access-key", "target": ["mgr", ""], "value": "<real_key>"}] > cmd=[{"prefix": "dashboard set-rgw-api-secret-key", "target": ["mgr", ""], "value": "<real_key>"}]: - JWT tokens: > "JWT Token: <real_token>" This information should be redacted from the logs. While access to logs could be limited to privileged users, this is considered insecure (even with hashed passwords).