jcsp
commented
2 years ago :+1:
Background: the reason I didn't do the config property secrets this way was that one still needs all the careful handling for when we have unparsed YAML values in hand, even if the inner type of the property<> was a secret<>. But we should still use the secret<> to protect the values as they propagate deeper into the system.
As a developer trying to understand how sensitive information passes through Redpanda today, it is time consuming to audit the codebase for references to things that look like secrets. As a developer writing code that leverages sensitive information, it's easy to unintentionally expose secrets in logs. As a whole, we rely on stringent code review to ensure secrets don't get leaked. It'd be nice if there were a stronger mechanism built into the codebase to make it difficult to mishandle secrets and make it easy to audit for improper handling.
One approach would be to use the C++ type system to define a
secret<>class that wraps sensitive information. By default, such a class would be redacted by default, e.g. with anoperator<<that prints****, and with explicit secret unwrapping when the contents of the secret are actually used.JIRA Link: CORE-932