From: Joao Eduardo Luis <joao.luis@inktank.com>
Date: Fri, 23 Nov 2012 14:06:38 +0000 (+0000)
Subject: auth: cephx: increase log levels when logging secrets
X-Git-Tag: v0.55~57^2~3
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=deabdc8a105639675a9fbafbcf0319c3bae8917e;p=ceph.git

auth: cephx: increase log levels when logging secrets

We understand that logging secrets may be useful when debugging the root
causes for auth issues. However, logging secrets is far from a good idea.
Therefore, just increase the log levels to a high enough value so that
most other debug infos can be obtained without even logging the secrets.
If one really wants to log the secrets, then setting --debug-auth 30 should
do the trick.

Fixes: #3361

Signed-off-by: Joao Eduardo Luis <joao.luis@inktank.com>
---

diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc
index 1440b2c2b9f1..c3e4f9cfdc1f 100644
--- a/src/auth/cephx/CephxKeyServer.cc
+++ b/src/auth/cephx/CephxKeyServer.cc
@@ -46,7 +46,7 @@ bool KeyServerData::get_service_secret(CephContext *cct, uint32_t service_id,
 
   secret_id = riter->first;
   secret = riter->second;
-  ldout(cct, 10) << "get_service_secret service " << ceph_entity_type_name(service_id)
+  ldout(cct, 30) << "get_service_secret service " << ceph_entity_type_name(service_id)
 	   << " id " << secret_id << " " << secret << dendl;
   return true;
 }
@@ -77,12 +77,13 @@ bool KeyServerData::get_service_secret(CephContext *cct, uint32_t service_id,
 
   if (riter == secrets.secrets.end()) {
     ldout(cct, 10) << "get_service_secret service " << ceph_entity_type_name(service_id)
-	     << " secret " << secret_id << " not found; i have:" << dendl;
+	     << " secret " << secret_id << " not found" << dendl;
+    ldout(cct, 30) << " I have:" << dendl;
     for (map<uint64_t, ExpiringCryptoKey>::const_iterator iter =
 	     secrets.secrets.begin();
         iter != secrets.secrets.end();
         ++iter)
-      ldout(cct, 10) << " id " << iter->first << " " << iter->second << dendl;
+      ldout(cct, 30) << " id " << iter->first << " " << iter->second << dendl;
     return false;
   }
 
@@ -170,7 +171,7 @@ bool KeyServer::_check_rotating_secrets()
 
 void KeyServer::_dump_rotating_secrets()
 {
-  ldout(cct, 10) << "_dump_rotating_secrets" << dendl;
+  ldout(cct, 30) << "_dump_rotating_secrets" << dendl;
   for (map<uint32_t, RotatingSecrets>::iterator iter = data.rotating_secrets.begin();
        iter != data.rotating_secrets.end();
        ++iter) {
@@ -178,7 +179,7 @@ void KeyServer::_dump_rotating_secrets()
     for (map<uint64_t, ExpiringCryptoKey>::iterator mapiter = key.secrets.begin();
 	 mapiter != key.secrets.end();
 	 ++mapiter)
-      ldout(cct, 10) << "service " << ceph_entity_type_name(iter->first)
+      ldout(cct, 30) << "service " << ceph_entity_type_name(iter->first)
 	             << " id " << mapiter->first
 	             << " key " << mapiter->second << dendl;
   }
@@ -203,7 +204,8 @@ int KeyServer::_rotate_secret(uint32_t service_id)
     }
     ek.expiration += ttl;
     uint64_t secret_id = r.add(ek);
-    ldout(cct, 10) << "_rotate_secret adding " << ceph_entity_type_name(service_id)
+    ldout(cct, 10) << "_rotate_secret adding " << ceph_entity_type_name(service_id) << dendl;
+    ldout(cct, 30) << "_rotate_secret adding " << ceph_entity_type_name(service_id)
 	           << " id " << secret_id << " " << ek
 	           << dendl;
     added++;
diff --git a/src/auth/cephx/CephxProtocol.cc b/src/auth/cephx/CephxProtocol.cc
index 9c262634e7be..34f31f70c723 100644
--- a/src/auth/cephx/CephxProtocol.cc
+++ b/src/auth/cephx/CephxProtocol.cc
@@ -118,7 +118,7 @@ bool cephx_build_service_ticket_reply(CephContext *cct,
     }
     ::encode(blob, service_ticket_bl);
 
-    ldout(cct, 20) << "service_ticket_blob is ";
+    ldout(cct, 30) << "service_ticket_blob is ";
     service_ticket_bl.hexdump(*_dout);
     *_dout << dendl;