'virStorageBackendRBDRADOSConfSet' logs it's arguments but it's also
used to set the RBD secret/key.
All the security theatre with securely erasing the string we do to fetch
the secret would be quite pointless if we log it thus introduce
virStorageBackendRBDRADOSConfSetQuiet and use it to avoid logging the
password.
Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx>
---
src/storage/storage_backend_rbd.c | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/src/storage/storage_backend_rbd.c b/src/storage/storage_backend_rbd.c
index 52407f8e6f..05b2c43f79 100644
--- a/src/storage/storage_backend_rbd.c
+++ b/src/storage/storage_backend_rbd.c
@@ -161,12 +161,10 @@ virStoragePoolDefRBDNamespaceFormatXML(virBuffer *buf,
static int
-virStorageBackendRBDRADOSConfSet(rados_t cluster,
- const char *option,
- const char *value)
+virStorageBackendRBDRADOSConfSetQuiet(rados_t cluster,
+ const char *option,
+ const char *value)
{
- VIR_DEBUG("Setting RADOS option '%s' to '%s'",
- option, value);
if (rados_conf_set(cluster, option, value) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("failed to set RADOS option: %s"),
@@ -177,6 +175,19 @@ virStorageBackendRBDRADOSConfSet(rados_t cluster,
return 0;
}
+
+static int
+virStorageBackendRBDRADOSConfSet(rados_t cluster,
+ const char *option,
+ const char *value)
+{
+ VIR_DEBUG("Setting RADOS option '%s' to '%s'",
+ option, value);
+
+ return virStorageBackendRBDRADOSConfSetQuiet(cluster, option, value);
+}
+
+
static int
virStorageBackendRBDOpenRADOSConn(virStorageBackendRBDState *ptr,
virStoragePoolDef *def)
@@ -222,7 +233,8 @@ virStorageBackendRBDOpenRADOSConn(virStorageBackendRBDState *ptr,
rados_key = g_base64_encode(secret_value, secret_value_size);
virSecureErase(secret_value, secret_value_size);
- rc = virStorageBackendRBDRADOSConfSet(ptr->cluster, "key", rados_key);
+ VIR_DEBUG("Setting RADOS option 'key'");
+ rc = virStorageBackendRBDRADOSConfSetQuiet(ptr->cluster, "key", rados_key);
virSecureEraseString(rados_key);
if (rc < 0)
--
2.38.1
