Closed Yisaer closed 4 years ago
@nolouch @disksing @rleungx @HunDunDM @lhy1024 WDYT? or any other advices?
LGTM. In addition to the key, what else do we need to hide, such as topology?
Can we log sha1 instead? At least we can know if the key is changed.
@disksing It's ok to me. And from https://github.com/pingcap/tidb/pull/19409, I found that tidb directly replace the key by '?'. Maybe we should unify the action.
IMO, ?
is no meaning for PD.
I think use hash instead of ?
can provide more info without leaking user information. But we need to inquire about the compliance.
After discussion with tikv/tidb group, currently we will omit the region key information if log-redact is enabled.
Development Task
To reinforce the security in the PD, one thing we need to do is to do the log desensitization.
Here are some examples we need to hide from the logs in my view:
region key in logs like following:
etcd key and value in logs like following:
store label key and value in logs like following:
placement rule key and value in logs like following:
We will add a new configuration like "enable-log-desensitization"(default false). If this configuration is enabled, the sensitive information won't appear on the previous log.