[PATCH 09/11] virStorageBackendRBDOpenRADOSConn: Don't log the RBD key

Peter Krempa pkrempa at redhat.com
Fri Dec 9 16:29:01 UTC 2022 

'virStorageBackendRBDRADOSConfSet' logs it's arguments but it's also
used to set the RBD secret/key.

All the security theatre with securely erasing the string we do to fetch
the secret would be quite pointless if we log it thus introduce
virStorageBackendRBDRADOSConfSetQuiet and use it to avoid logging the
password.

Signed-off-by: Peter Krempa <pkrempa at redhat.com>
---
 src/storage/storage_backend_rbd.c | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/src/storage/storage_backend_rbd.c b/src/storage/storage_backend_rbd.c
index 52407f8e6f..05b2c43f79 100644
--- a/src/storage/storage_backend_rbd.c
+++ b/src/storage/storage_backend_rbd.c
@@ -161,12 +161,10 @@ virStoragePoolDefRBDNamespaceFormatXML(virBuffer *buf,


 static int
-virStorageBackendRBDRADOSConfSet(rados_t cluster,
-                                 const char *option,
-                                 const char *value)
+virStorageBackendRBDRADOSConfSetQuiet(rados_t cluster,
+                                      const char *option,
+                                      const char *value)
 {
-    VIR_DEBUG("Setting RADOS option '%s' to '%s'",
-              option, value);
     if (rados_conf_set(cluster, option, value) < 0) {
         virReportError(VIR_ERR_INTERNAL_ERROR,
                        _("failed to set RADOS option: %s"),
@@ -177,6 +175,19 @@ virStorageBackendRBDRADOSConfSet(rados_t cluster,
     return 0;
 }

+
+static int
+virStorageBackendRBDRADOSConfSet(rados_t cluster,
+                                 const char *option,
+                                 const char *value)
+{
+    VIR_DEBUG("Setting RADOS option '%s' to '%s'",
+              option, value);
+
+    return virStorageBackendRBDRADOSConfSetQuiet(cluster, option, value);
+}
+
+
 static int
 virStorageBackendRBDOpenRADOSConn(virStorageBackendRBDState *ptr,
                                   virStoragePoolDef *def)
@@ -222,7 +233,8 @@ virStorageBackendRBDOpenRADOSConn(virStorageBackendRBDState *ptr,
         rados_key = g_base64_encode(secret_value, secret_value_size);
         virSecureErase(secret_value, secret_value_size);

-        rc = virStorageBackendRBDRADOSConfSet(ptr->cluster, "key", rados_key);
+        VIR_DEBUG("Setting RADOS option 'key'");
+        rc = virStorageBackendRBDRADOSConfSetQuiet(ptr->cluster, "key", rados_key);
         virSecureEraseString(rados_key);

         if (rc < 0)
-- 
2.38.1

More information about the libvir-list mailing list