mayurah
commented
5 years ago @bcheezum This is by design, there's least you can do to have more security, i.e. hashing of password or something. Also, note that password is not cleartext, but encoded/obscured (not encrypted).
Link that you've shared states BasicAuth (which is Base64), and OAuth (would not work for all situation).
This is the the case with ODBC driver as well, if you could share your use case, maybe someone can provide better way to use this.
Some hygiene:
- Do not share Url with others (let others have their own Url)
- Always use valid HTTPS for both Splunk REST and WDC Connector
Note that this project is run by contributors and there may not be anything that one can do, unless say someone introduces a third-party Vault to manage secret. Let me know if you have any better suggestion, someone from community can chime in and work on it.
hyphus
The query parameter contains (effectively) plain text credentials. As most Splunk instances within an Enterprise use Active Directory authentication, this is a pretty big security risk.
The query parameter will show up in logs and can trivially be decoded. Additionally people may share this URL not realizing their credentials are included.
At a minimum there should be a big warning about credentials being exposed in plain text but ideally this would use a more secure authentication method. The WDC SDK has support for multiple authentication methods.
http://tableau.github.io/webdataconnector/docs/wdc_authentication