Re: [libvirt] [PATCH v5 4/4] qemu/rbd: improve rbd device specification

On 10/31/2011 07:29 PM, Josh Durgin wrote: > From: Sage Weil <sage(a)newdream.net&gt; > + if (sec) { > + char *base64 = NULL; > + > + secret = (char *)conn->secretDriver->getValue(sec, &secret_size, 0, > + VIR_SECRET_GET_VALUE_INTERNAL_CALL); > + if (secret == NULL) { > + qemuReportError(VIR_ERR_INTERNAL_ERROR, > + _("could not get the value of the secret for username %s"), > + disk->auth.username); > + goto error; > + } > + /* qemu/librbd wants it base64 encoded */ > + base64_encode_alloc(secret, secret_size, &base64); > + if (!base64) { > + virReportOOMError(); > + goto error; > + } > + virBufferEscape(opt, ":", ":key=%s:auth_supported=cephx none", > + base64); > + VIR_FREE(base64); The command line that we pass to qemu gets logged. But what happens if the secret was marked as ephemeral - could we be violating the premise of not exposing passwords to too broad an audience? Or are we already safe in that the log entries created by virCommand can only be exposed to users that already can get at the secret information by other means? Maybe this means we should we be adding capabilities into virCommand to prevent the logging of the actual secret (whether base64-encoded or otherwise), and instead log an alternate string? That is, should virCommand be tracking parallel argv arrays; the real array passed to exec() but never logged, and the alternate array (normally matching the real one, but which can differ in this particular case of passing an argument that contains a password)?