Secure_vault is exposed in command of an operation

ytsaurus / ytsaurus

YTsaurus is a scalable and fault-tolerant open-source big data platform.

https://ytsaurus.tech

Apache License 2.0

1.82k stars 126 forks source link

Secure_vault is exposed in command of an operation #780

Open Krock21 opened 1 month ago

Krock21 commented 1 month ago

Running a command like yt map --spec '{secure_vault={my_secret=secret}}' --src '//tmp/a' --dst '//tmp/b' --input-format yson --output-format yson cat exposes secure_vault in specification.command field of the operation in UI

Screenshot 2024-08-14 at 14 37 21

There are multiple ways to solve it, either on server or client(CLI) side

savnadya commented 1 month ago

Hi! Yes, it's not a good idea to pass secrets via command line. You can use YT_SPEC environment to specify secure vault. Example: https://github.com/ytsaurus/ytsaurus/blob/main/yt/python/yt/wrapper/tests/test_misc.py#L207

denvr commented 4 weeks ago

I think we should still show full command, but with masked values in secure_vault