search

comet-ml / issue-tracking

Questions, Help, and Issues for Comet ML
https://www.comet.ml
85 stars 7 forks source link

Comet-ml logging environment variables set in conda virtual environment #474

Closed weiji14 closed 11 months ago

weiji14 commented 2 years ago

Describe the Bug

As of comet-ml version 3.27.0 released 24 Feb 2022 (https://www.comet.ml/docs/python-sdk/releases/#release-3270), conda packages, channels and configurations are logged as Experiment assets. Understandably, this is to ensure reproducibility of the software environment, but I was surprised to see that sensitive API tokens were uploaded as well. I've had to revoke/refresh several of my keys/tokens, but wanted to point out that this can be a security concern.

Expected behavior

There should be a way to disable logging of environment variables set in conda's environment.yml, while still being able to log the dependency list. I've had a look under https://www.comet.ml/docs/python-sdk/advanced/#experiment-configuration-parameters and couldn't see an obvious way to do so, but maybe I'm missing something.

Where is the issue?

To Reproduce

Steps to reproduce the behavior:

Specifically, the issue is when a user has a conda environment.yml with the variables set like so, see also https://docs.conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html#setting-environment-variables:

name: env-name
channels:
  - conda-forge
  - defaults
dependencies:
  - python=3.9
  - pip:
    - comet-ml
variables:
  COMET_API_KEY: AbCdEfGhIjKlMnOpQr
  OTHER_API_TOKEN: StUvWxYz123456789

When running an experiment within that activated conda-environment, comet-ml>=3.27.0 would automatically upload a conda-environment.yml file under the Assets -> Other tab like so:

name: env-name
channels:
  - conda-forge
dependencies:
  - python=3.9.9=h62f1059_0_cpython
  - pip:
    - comet-ml==3.30.0
variables:
  COMET_API_KEY: AbCdEfGhIjKlMnOpQr
  OTHER_API_TOKEN: StUvWxYz123456789
prefix: /home/username/miniconda/envs/env-name

Note that the API keys/tokens were uploaded as well, thereby exposing potentially sensitive information.

Stack Trace

If possible please include the full stack trace of your issue here

# Paste stack trace here

Comet Debug Log

If possible, please follow the instructions here to run Comet in debug mode and attach the resulting log file.

Screenshots or GIFs

If applicable, add screenshots/gifs to help explain your problem.

Link to Comet Project/Experiment

If applicable, please provide a link to your Comet Project or Experiment.

Additional context

Add any other context about the problem here.

Current workaround might be to pin to comet-ml=3.26.1. Or perhaps I should just store those environment variables in another location, but I wanted to point this out in case others face the same issue.

DN6 commented 2 years ago

Thank you for bringing this to our attention @weiji14. I will check with the SDK team to see how we can avoid logging sensitive information in these yml files.

github-actions[bot] commented 11 months ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] commented 11 months ago

This issue was closed because it has been stalled for 5 days with no activity.