elastic / rally

Macrobenchmarking framework for Elasticsearch
Apache License 2.0
37 stars 314 forks source link

Elasticsearch cluster authentication credentials can leak into rally.log #1862

Closed inqueue closed 4 months ago

inqueue commented 4 months ago

Elasticsearch authentication credentials can leak into rally.log when using the --kill-running-processes CLI argument and there is a running process to kill. Rally should not leak basic authentication credentials or API keys to rally.log.

Problem code line

Example log

2024-06-27 09:54:12,866 -not-actor-/PID:1698183 esrally.utils.process INFO Killing lingering process with PID [1696855] and command line [['/home/user/.conda/envs/rally/bin/python', '/home/user/.conda/envs/rally/bin/esrally', 'race', '--track-path=.', '--pipeline=benchmark-only', '--target-hosts=https://10.13.31.10:9200', "--client-options=basic_auth_user:'elastic',basic_auth_password:'TheLeakedPassword',use_ssl:true,verify_certs:false,timeout:60", '--kill-running-processes']].