Passwords with " not properly masked in --debug output for the openstack client

Solution In Progress - Updated -


  • When --debug is used, secret information is masked but user with a " (double quote) character in the password is not properly masked when showing debug output with the python3-openstackclient 4.0.1 client. It shows the " character followed by the rest of the characters in the password.

  • Because the openstackclient uses strutils.mask_password from oslo_utils, we assume from here that this would also be the case in other code.

  • Here is an example:

$ openstack --debug server list

START with options: --debug server list
options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', application_credential_id='', application_credential_name='', application_credential_secret='***', auth_methods='', auth_type='', auth_url='', cacert=None, cert='', client_id='', client_secret='***', cloud='GN1', code='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domain_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='', insecure=None, interface='public', key='', log_file=None, openid_scope='', os_beta_command=False, os_compute_api_version='', os_identity_api_version='', os_image_api_version='', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='', passcode='', password='***', project_domain_id='', project_domain_name='', project_id='', project_name='', protocol='', redirect_uri='', region_name='', remote_project_domain_id='', remote_project_domain_name='', remote_project_id='', remote_project_name='', service_provider='', system_scope='', timing=False, token='***', trust_id='', user_domain_id='', user_domain_name='', user_id='', username='', verbose_level=3, verify=None)
Auth plugin password selected
auth_config_hook(): {'api_timeout': None, 'verify': True, 'cacert': None, 'cert': None, 'key': None, 'baremetal_status_code_retries': '5', 'baremetal_introspection_status_code_retries': '5', 'image_status_code_retries': '5', 'disable_vendor_agent': {}, 'interface': 'public', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False, 'image_format': 'qcow2', 'message': '', 'network_api_version': '2', 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status': 'active', 'auth': {'auth_url': '', 'username': '', 'password': '***"qD*^Z]@F$9)~>', 'user_domain_name': 'Default', 'project_domain_name': 'Default', 'project_name': ''}, 'region_name': '', 'identity_api_version': '3', 'verbose_level': 3, 'deferred_help': False, 'debug': True, 'cloud': '', 'default_domain': 'default', 'timing': False, 'beta_command': False, 'auth_type': 'password', 'networks': []}


  • Red Hat OpenStack Platform 16.1 (RHOSP)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content