Stop leaking secrets in the logs

Change-Id: I9cb75ddaa8334a09727610889ca32a9a415481fd
2020-11-05 11:46:28 +01:00 · 2020-11-05 11:46:28 +01:00 · 81fdd34d12
commit 81fdd34d12
parent cd09ecfd04
2 changed files with 17 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -38,7 +38,7 @@ Then add a relation to the ceph-mon application:

 **Notes**:

-* Deploying four ceph-iscsi units is theoretical possible but it is not an
+* Deploying four ceph-iscsi units is theoretically possible but it is not an
  officially supported configuration.

 * The ceph-iscsi application cannot be containerised.
--- a/src/gwcli_client.py
+++ b/src/gwcli_client.py
@ -8,9 +8,23 @@ class GatewayClient():

    def run(self, path, cmd):
        _cmd = ['gwcli', path]
+        # NOTE(lourot): we don't print the full command here as it might
+        # contain secrets.
+        logging.info(' '.join(_cmd) + ' ...')
        _cmd.extend(cmd.split())
-        logging.info(_cmd)
-        subprocess.check_call(_cmd)
+
+        error_msg = None
+        try:
+            subprocess.check_output(_cmd, stderr=subprocess.PIPE)
+        except subprocess.CalledProcessError as e:
+            error_msg = 'gwcli failed with {}'.format(e.returncode)
+            logging.error(error_msg)
+            logging.error('stdout: {}'.format(e.stdout))
+            logging.error('stderr: {}'.format(e.stderr))
+
+        if error_msg:
+            # NOTE(lourot): we re-raise another free-of-secrets exception:
+            raise RuntimeError(error_msg)

    def create_target(self, iqn):
        self.run(