Password config options should be marked secret

If passwords are not marked secret, there is the potential for
them to be logged in a world readable location.

Link to the OSSG guideline (may change in the future):
https://github.com/hyakuhei/OSSG-Security-Practices/blob/master/sensitive_config_file_options.md

Oslo.config descriptions:
http://docs.openstack.org/developer/oslo.config/cfg.html#special-handling-instructions

SecImpact

Change-Id: I6d5c80b7610d593fdd331c726039f1456d2c5bf7

diff --git a/neutron/plugins/cisco/db/l3/device_handling_db.py b/neutron/plugins/cisco/db/l3/device_handling_db.py
index da5c90ef48d4c05b48c9852881012499377bf9d1..e8c3a8187f286082736268f75e0aa258ad945dcf 100644 (file)
--- a/neutron/plugins/cisco/db/l3/device_handling_db.py
+++ b/neutron/plugins/cisco/db/l3/device_handling_db.py
@@ -77,7 +77,7 @@ CSR1KV_OPTS = [
                       'becomes operational.')),
     cfg.StrOpt('csr1kv_username', default='stack',
                help=_('Username to use for CSR1kv configurations.')),
-    cfg.StrOpt('csr1kv_password', default='cisco',
+    cfg.StrOpt('csr1kv_password', default='cisco', secret=True,
                help=_('Password to use for CSR1kv configurations.'))
 ]