virStorageBackendRBDOpenRADOSConn: Don't log the RBD key

'virStorageBackendRBDRADOSConfSet' logs its arguments but it's also used to set the RBD secret/key. All the security theatre with securely erasing the string we do to fetch the secret would be quite pointless if we log it thus introduce virStorageBackendRBDRADOSConfSetQuiet and use it to avoid logging the password. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2024-10-05 22:05:47 +00:00 · 2022-12-09 16:49:12 +01:00 · 2022-12-09 16:49:12 +01:00 · 6d661329dd
commit 6d661329dd
parent 7df6338f4d
1 changed files with 18 additions and 6 deletions
--- a/src/storage/storage_backend_rbd.c
+++ b/src/storage/storage_backend_rbd.c
@ -161,12 +161,10 @@ virStoragePoolDefRBDNamespaceFormatXML(virBuffer *buf,


 static int
-virStorageBackendRBDRADOSConfSet(rados_t cluster,
-                                 const char *option,
-                                 const char *value)
+virStorageBackendRBDRADOSConfSetQuiet(rados_t cluster,
+                                      const char *option,
+                                      const char *value)
 {
-    VIR_DEBUG("Setting RADOS option '%s' to '%s'",
-              option, value);
    if (rados_conf_set(cluster, option, value) < 0) {
        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("failed to set RADOS option: %s"),
@ -177,6 +175,19 @@ virStorageBackendRBDRADOSConfSet(rados_t cluster,
    return 0;
 }

+
+static int
+virStorageBackendRBDRADOSConfSet(rados_t cluster,
+                                 const char *option,
+                                 const char *value)
+{
+    VIR_DEBUG("Setting RADOS option '%s' to '%s'",
+              option, value);
+
+    return virStorageBackendRBDRADOSConfSetQuiet(cluster, option, value);
+}
+
+
 static int
 virStorageBackendRBDOpenRADOSConn(virStorageBackendRBDState *ptr,
                                  virStoragePoolDef *def)
@ -222,7 +233,8 @@ virStorageBackendRBDOpenRADOSConn(virStorageBackendRBDState *ptr,
        rados_key = g_base64_encode(secret_value, secret_value_size);
        virSecureErase(secret_value, secret_value_size);

-        rc = virStorageBackendRBDRADOSConfSet(ptr->cluster, "key", rados_key);
+        VIR_DEBUG("Setting RADOS option 'key'");
+        rc = virStorageBackendRBDRADOSConfSetQuiet(ptr->cluster, "key", rados_key);
        virSecureEraseString(rados_key);

        if (rc < 0)