auth: cephx: increase log levels when logging secrets

We understand that logging secrets may be useful when debugging the root
causes for auth issues. However, logging secrets is far from a good idea.
Therefore, just increase the log levels to a high enough value so that
most other debug infos can be obtained without even logging the secrets.
If one really wants to log the secrets, then setting --debug-auth 30 should
do the trick.

Fixes: #3361
Signed-off-by: Joao Eduardo Luis <joao.luis@inktank.com>

diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc
index 1440b2c2b9f1cc72320aa93e7d3ed6d98177d955..c3e4f9cfdc1f6f71199fc489309ef0ae17ff1bc2 100644 (file)
--- a/src/auth/cephx/CephxKeyServer.cc
+++ b/src/auth/cephx/CephxKeyServer.cc
@@ -46,7 +46,7 @@ bool KeyServerData::get_service_secret(CephContext *cct, uint32_t service_id,
 
   secret_id = riter->first;
   secret = riter->second;
-  ldout(cct, 10) << "get_service_secret service " << ceph_entity_type_name(service_id)
+  ldout(cct, 30) << "get_service_secret service " << ceph_entity_type_name(service_id)
           << " id " << secret_id << " " << secret << dendl;
   return true;
 }
@@ -77,12 +77,13 @@ bool KeyServerData::get_service_secret(CephContext *cct, uint32_t service_id,
 
   if (riter == secrets.secrets.end()) {
     ldout(cct, 10) << "get_service_secret service " << ceph_entity_type_name(service_id)
-            << " secret " << secret_id << " not found; i have:" << dendl;
+            << " secret " << secret_id << " not found" << dendl;
+    ldout(cct, 30) << " I have:" << dendl;
     for (map<uint64_t, ExpiringCryptoKey>::const_iterator iter =
             secrets.secrets.begin();
         iter != secrets.secrets.end();
         ++iter)
-      ldout(cct, 10) << " id " << iter->first << " " << iter->second << dendl;
+      ldout(cct, 30) << " id " << iter->first << " " << iter->second << dendl;
     return false;
   }
 
@@ -170,7 +171,7 @@ bool KeyServer::_check_rotating_secrets()
 
 void KeyServer::_dump_rotating_secrets()
 {
-  ldout(cct, 10) << "_dump_rotating_secrets" << dendl;
+  ldout(cct, 30) << "_dump_rotating_secrets" << dendl;
   for (map<uint32_t, RotatingSecrets>::iterator iter = data.rotating_secrets.begin();
        iter != data.rotating_secrets.end();
        ++iter) {
@@ -178,7 +179,7 @@ void KeyServer::_dump_rotating_secrets()
     for (map<uint64_t, ExpiringCryptoKey>::iterator mapiter = key.secrets.begin();
         mapiter != key.secrets.end();
         ++mapiter)
-      ldout(cct, 10) << "service " << ceph_entity_type_name(iter->first)
+      ldout(cct, 30) << "service " << ceph_entity_type_name(iter->first)
                     << " id " << mapiter->first
                     << " key " << mapiter->second << dendl;
   }
@@ -203,7 +204,8 @@ int KeyServer::_rotate_secret(uint32_t service_id)
     }
     ek.expiration += ttl;
     uint64_t secret_id = r.add(ek);
-    ldout(cct, 10) << "_rotate_secret adding " << ceph_entity_type_name(service_id)
+    ldout(cct, 10) << "_rotate_secret adding " << ceph_entity_type_name(service_id) << dendl;
+    ldout(cct, 30) << "_rotate_secret adding " << ceph_entity_type_name(service_id)
                   << " id " << secret_id << " " << ek
                   << dendl;
     added++;

diff --git a/src/auth/cephx/CephxProtocol.cc b/src/auth/cephx/CephxProtocol.cc
index 9c262634e7be1bbcad04c94400deb4cedc505be2..34f31f70c72387e6dc64bb9265a4d9428f38b92e 100644 (file)
--- a/src/auth/cephx/CephxProtocol.cc
+++ b/src/auth/cephx/CephxProtocol.cc
@@ -118,7 +118,7 @@ bool cephx_build_service_ticket_reply(CephContext *cct,
     }
     ::encode(blob, service_ticket_bl);
 
-    ldout(cct, 20) << "service_ticket_blob is ";
+    ldout(cct, 30) << "service_ticket_blob is ";
     service_ticket_bl.hexdump(*_dout);
     *_dout << dendl;