From f339737f83381c0db42140d4a6d4406d4a4e2d09 Mon Sep 17 00:00:00 2001
From: Blaine Gardner <blaine.gardner@redhat.com>
Date: Thu, 7 Oct 2021 15:13:51 -0600
Subject: [PATCH] rgw: use trace logs for RGW admin HTTP info

Debug logs for the RGW Admin Ops debugHTTPClient can leak credentials
used to access the Admin Ops API as well as credentials that may be
returned for any buckets/users. Use trace logs instead, which users are
unlikely to enable in production to mitigate the risk.

Signed-off-by: Blaine Gardner <blaine.gardner@redhat.com>
---
 pkg/operator/ceph/object/admin.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkg/operator/ceph/object/admin.go b/pkg/operator/ceph/object/admin.go
index 250c10f11750..f4eb40ba1692 100644
--- a/pkg/operator/ceph/object/admin.go
+++ b/pkg/operator/ceph/object/admin.go
@@ -72,7 +72,8 @@ func (c *debugHTTPClient) Do(req *http.Request) (*http.Response, error) {
 	if err != nil {
 		return nil, err
 	}
-	c.logger.Debugf("\n%s\n", string(dump))
+	// this can leak credentials for making requests
+	c.logger.Tracef("\n%s\n", string(dump))
 
 	resp, err := c.client.Do(req)
 	if err != nil {
@@ -84,7 +85,8 @@ func (c *debugHTTPClient) Do(req *http.Request) (*http.Response, error) {
 	if err != nil {
 		return nil, err
 	}
-	c.logger.Debugf("\n%s\n", string(dump))
+	// this can leak any sensitive info like credentials in the response
+	c.logger.Tracef("\n%s\n", string(dump))
 
 	return resp, nil
 }