Closed faabsen closed 1 year ago
Hi. Can you please provide some examples to start debug?
Hi, they are shown even at default log level. If you just try to set up connection to opensearch that is password protected you will see curator logs the user and password its using in plaintext
@aschi1 is right, just use a basic http auth connection - in the info level the password is shown in clear text. Elastic has fixed this with: https://github.com/elastic/curator/commit/f33c6f33e5681b6b0bd0b0a9aa1296a5abd69cc7
@faabsen Are you specifying the password as part of the URL? i.e. http://username:password@host
The fix from Elastic that you link to removes the password from various fields elsewhere in the logs but not the kwargs =
output you mention in your initial report. That code is already present in this repo anyway. That code would not remove passwords from URLs anyway.
I specifying credentials under username
and password
and they do not appear in the logs for me so I do not encounter this issue:
client:
hosts:
- http://opensearch1
- http://opensearch2
- http://opensearch3
port: 9200
url_prefix:
use_ssl: False
certificate:
client_cert:
client_key:
ssl_no_validate: False
username: ${CURATOR_USERNAME}
password: ${CURATOR_PASSWORD}
@jgough Yes we specify the credentials the same way but they are visible in curator logs anyways. This is the workaround we implemented for it (basically discarding any logs with level INFO
)
client:
hosts:
- opensearch-masters
port: 9200
use_ssl: True
username: ${ELASTIC_USER}
password: ${ELASTIC_PASSWORD}
logging:
loglevel: CRITICAL
I still do not see any passwords myself appearing in logs with level INFO with credentials set with username
and password
. Are you able to provide a (sufficiently redacted) copy of your log file that contain these? This would probably help debug what you are seeing.
Closed in v0.0.6 https://github.com/uzhinskiy/curator-opensearch/pull/11
@uzhinskiy Thanks for your work. Any approximate time when the 0.0.6 version will be released?
@aschi1: Hi. Released - https://pypi.org/project/curator-opensearch/0.0.6/
Currently, passwords are shown on info level (https://github.com/uzhinskiy/curator-opensearch/blob/main/curator/utils.py#L1053). Even in DEBUG mode, they should be hidden. See: https://github.com/elastic/curator/pull/1359
Is this project still maintained?
Cheers, Fabian