[jira] [Commented] (FLINK-10363) S3 FileSystem factory prints secrets into logs
[ https://issues.apache.org/jira/browse/FLINK-10363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16623330#comment-16623330 ] Steve Loughran commented on FLINK-10363: see WHIRR-642 for this same issue; it's easy to do. For that one I had to google for every whirr log entry & notify at least two people they'd accidentally shared their secrets. Luckily that was the era before bitcoin miners scanned the internet for AWS keys > S3 FileSystem factory prints secrets into logs > -- > > Key: FLINK-10363 > URL: https://issues.apache.org/jira/browse/FLINK-10363 > Project: Flink > Issue Type: Bug > Components: FileSystem >Reporter: Stephan Ewen >Assignee: Stephan Ewen >Priority: Critical > Fix For: 1.7.0, 1.6.2 > > > The file system factory logs all values it applies from the flink > configuration. > That frequently includes access keys, which should not leak into logs. > The loader should only log the keys, not the values. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (FLINK-10363) S3 FileSystem factory prints secrets into logs
[ https://issues.apache.org/jira/browse/FLINK-10363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16622284#comment-16622284 ] Stephan Ewen commented on FLINK-10363: -- There was some generic config value printing in 1.6.0 on debug level, but this has been removed. > S3 FileSystem factory prints secrets into logs > -- > > Key: FLINK-10363 > URL: https://issues.apache.org/jira/browse/FLINK-10363 > Project: Flink > Issue Type: Bug > Components: FileSystem >Reporter: Stephan Ewen >Assignee: Stephan Ewen >Priority: Critical > Fix For: 1.7.0, 1.6.2 > > > The file system factory logs all values it applies from the flink > configuration. > That frequently includes access keys, which should not leak into logs. > The loader should only log the keys, not the values. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (FLINK-10363) S3 FileSystem factory prints secrets into logs
[ https://issues.apache.org/jira/browse/FLINK-10363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16622263#comment-16622263 ] Steve Loughran commented on FLINK-10363: Stephan: we went to a lot of effort to not log AWS secrets in the S3A code. Tell me you haven't been printing them. FWIW, all the sensitive values are listed here: https://github.com/steveloughran/cloudstore/blob/master/src/main/java/org/apache/hadoop/fs/store/diag/S3ADiagnosticsInfo.java#L40 if anyone puts user:pass in the URL then even the path becomes sensitive, which is why users are told off for doing that, and why the feature has finally been turned off. > S3 FileSystem factory prints secrets into logs > -- > > Key: FLINK-10363 > URL: https://issues.apache.org/jira/browse/FLINK-10363 > Project: Flink > Issue Type: Bug > Components: FileSystem >Reporter: Stephan Ewen >Assignee: Stephan Ewen >Priority: Critical > Fix For: 1.7.0, 1.6.2 > > > The file system factory logs all values it applies from the flink > configuration. > That frequently includes access keys, which should not leak into logs. > The loader should only log the keys, not the values. -- This message was sent by Atlassian JIRA (v7.6.3#76005)