rgw: use trace logs for RGW admin HTTP info

Debug logs for the RGW Admin Ops debugHTTPClient can leak credentials used to access the Admin Ops API as well as credentials that may be returned for any buckets/users. Use trace logs instead, which users are unlikely to enable in production to mitigate the risk. Signed-off-by: Blaine Gardner <blaine.gardner@redhat.com>
rook · Oct 7, 2021 · f339737 · f339737
1 parent 2fdfb9c
commit f339737
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/pkg/operator/ceph/object/admin.go b/pkg/operator/ceph/object/admin.go
@@ -72,7 +72,8 @@ func (c *debugHTTPClient) Do(req *http.Request) (*http.Response, error) {
 	if err != nil {
 		return nil, err
 	}
-	c.logger.Debugf("\n%s\n", string(dump))
+	// this can leak credentials for making requests
+	c.logger.Tracef("\n%s\n", string(dump))
 
 	resp, err := c.client.Do(req)
 	if err != nil {
@@ -84,7 +85,8 @@ func (c *debugHTTPClient) Do(req *http.Request) (*http.Response, error) {
 	if err != nil {
 		return nil, err
 	}
-	c.logger.Debugf("\n%s\n", string(dump))
+	// this can leak any sensitive info like credentials in the response
+	c.logger.Tracef("\n%s\n", string(dump))
 
 	return resp, nil
 }