Hide passwords in debug logs

flant / curator-opensearch

Curator for OpenSearch.

Other

75 stars 28 forks source link

Hide passwords in debug logs #3

Closed faabsen closed 1 year ago

faabsen commented 2 years ago

Currently, passwords are shown on info level (https://github.com/uzhinskiy/curator-opensearch/blob/main/curator/utils.py#L1053). Even in DEBUG mode, they should be hidden. See: https://github.com/elastic/curator/pull/1359

Is this project still maintained?

Cheers, Fabian

uzhinskiy commented 2 years ago

Hi. Can you please provide some examples to start debug?

aschi1 commented 1 year ago

Hi, they are shown even at default log level. If you just try to set up connection to opensearch that is password protected you will see curator logs the user and password its using in plaintext

faabsen commented 1 year ago

@aschi1 is right, just use a basic http auth connection - in the info level the password is shown in clear text. Elastic has fixed this with: https://github.com/elastic/curator/commit/f33c6f33e5681b6b0bd0b0a9aa1296a5abd69cc7

jgough commented 1 year ago

@faabsen Are you specifying the password as part of the URL? i.e. http://username:password@host

The fix from Elastic that you link to removes the password from various fields elsewhere in the logs but not the kwargs = output you mention in your initial report. That code is already present in this repo anyway. That code would not remove passwords from URLs anyway.

I specifying credentials under username and password and they do not appear in the logs for me so I do not encounter this issue:

client:
  hosts:
    - http://opensearch1
    - http://opensearch2
    - http://opensearch3
  port: 9200
  url_prefix:
  use_ssl: False
  certificate:
  client_cert:
  client_key:
  ssl_no_validate: False
  username: ${CURATOR_USERNAME}
  password: ${CURATOR_PASSWORD}

aschi1 commented 1 year ago

@jgough Yes we specify the credentials the same way but they are visible in curator logs anyways. This is the workaround we implemented for it (basically discarding any logs with level INFO)

client:
  hosts:
    - opensearch-masters
  port: 9200
  use_ssl: True
  username: ${ELASTIC_USER}
  password: ${ELASTIC_PASSWORD}
logging:
  loglevel: CRITICAL

jgough commented 1 year ago

I still do not see any passwords myself appearing in logs with level INFO with credentials set with username and password. Are you able to provide a (sufficiently redacted) copy of your log file that contain these? This would probably help debug what you are seeing.

uzhinskiy commented 1 year ago

Closed in v0.0.6 https://github.com/uzhinskiy/curator-opensearch/pull/11

aschi1 commented 1 year ago

@uzhinskiy Thanks for your work. Any approximate time when the 0.0.6 version will be released?

uzhinskiy commented 1 year ago

@aschi1: Hi. Released - https://pypi.org/project/curator-opensearch/0.0.6/