Re: Plain text SSL passwords in Log file
Hi,
i have the same problem with flink 1.3.1 and i created jira
https://issues.apache.org/jira/browse/FLINK-9100 ( i saw that you wrote
about my jira in your jira :)).
For now to avoid printing password in log in logback.xml i configure
that class GlobalConfiguration is logged only to separate file not to
global log file. I thin that you also set to log to /dev/null.
But in my opinion it is enough to log to separate file that is not send
to another machine because in that case password is still visible in
configuration file.
Regards
Szymon Szczypiński
On 29.03.2018 16:29, Vinay Patil wrote:
I have created FLINK-9111
<https://issues.apache.org/jira/browse/FLINK-9111> as this is not
handled in the latest code of GlobalConfiguration.
Regards,
Vinay Patil
On Thu, Mar 29, 2018 at 8:33 AM, Vinay Patil <mailto:vinay18.pa...@gmail.com>> wrote:
Hi,
If this is not part of Flink 1.5 or not handled in latest 1.4.2
release, I can open a JIRA. Should be a small change.
What do you think ?
Regards,
Vinay Patil
On Wed, Mar 28, 2018 at 4:11 PM, Vinay Patil
mailto:vinay18.pa...@gmail.com>> wrote:
Hi Greg,
I am not concerned with flink-conf.yaml file, we have taken
care of the passwords there by replacing them with
placeholders. We are picking the passwords from our vault.
The main issue is that Flink is printing these passwords in
plain text in log file. It should be simple check to not print
the ssl passwords .
Regards,
Vinay Patil
On Wed, Mar 28, 2018 at 3:53 PM, Greg Hogan
mailto:c...@greghogan.com>> wrote:
With the current method you always have the risk, no
matter which keywords you filter on ("secret", "password",
etc.), that the key name is mistyped and inadvertently logged.
Perhaps we could implement something like TravisCI's
encryption keys
[https://docs.travis-ci.com/user/encryption-keys/
<https://docs.travis-ci.com/user/encryption-keys/>] at a
cost of added complexity.
On Wed, Mar 28, 2018 at 4:38 PM, Vinay Patil
mailto:vinay18.pa...@gmail.com>>
wrote:
Hi,
I see plain text SSL passwords in log file (printed by
GlobalConfiguration) , because of which we cannot
deploy our pipeline to NR environment.
I am able to avoid this by having ERROR log level for
this class but the security team still think it is a risk.
Is this taken care in the new release ? (I am using
Flink 1.3.2)
Regards,
Vinay Patil
Re: Plain text SSL passwords in Log file
I have created FLINK-9111 <https://issues.apache.org/jira/browse/FLINK-9111> as
this is not handled in the latest code of GlobalConfiguration.
Regards,
Vinay Patil
On Thu, Mar 29, 2018 at 8:33 AM, Vinay Patil
wrote:
> Hi,
>
> If this is not part of Flink 1.5 or not handled in latest 1.4.2 release, I
> can open a JIRA. Should be a small change.
>
> What do you think ?
>
> Regards,
> Vinay Patil
>
> On Wed, Mar 28, 2018 at 4:11 PM, Vinay Patil
> wrote:
>
>> Hi Greg,
>>
>> I am not concerned with flink-conf.yaml file, we have taken care of the
>> passwords there by replacing them with placeholders. We are picking the
>> passwords from our vault.
>>
>> The main issue is that Flink is printing these passwords in plain text in
>> log file. It should be simple check to not print the ssl passwords .
>>
>> Regards,
>> Vinay Patil
>>
>> On Wed, Mar 28, 2018 at 3:53 PM, Greg Hogan wrote:
>>
>>> With the current method you always have the risk, no matter which
>>> keywords you filter on ("secret", "password", etc.), that the key name is
>>> mistyped and inadvertently logged.
>>>
>>> Perhaps we could implement something like TravisCI's encryption keys [
>>> https://docs.travis-ci.com/user/encryption-keys/] at a cost of added
>>> complexity.
>>>
>>> On Wed, Mar 28, 2018 at 4:38 PM, Vinay Patil
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I see plain text SSL passwords in log file (printed by
>>>> GlobalConfiguration) , because of which we cannot deploy our pipeline to NR
>>>> environment.
>>>>
>>>> I am able to avoid this by having ERROR log level for this class but
>>>> the security team still think it is a risk.
>>>>
>>>> Is this taken care in the new release ? (I am using Flink 1.3.2)
>>>>
>>>> Regards,
>>>> Vinay Patil
>>>>
>>>
>>>
>>
>
Re: Plain text SSL passwords in Log file
Hi,
If this is not part of Flink 1.5 or not handled in latest 1.4.2 release, I
can open a JIRA. Should be a small change.
What do you think ?
Regards,
Vinay Patil
On Wed, Mar 28, 2018 at 4:11 PM, Vinay Patil
wrote:
> Hi Greg,
>
> I am not concerned with flink-conf.yaml file, we have taken care of the
> passwords there by replacing them with placeholders. We are picking the
> passwords from our vault.
>
> The main issue is that Flink is printing these passwords in plain text in
> log file. It should be simple check to not print the ssl passwords .
>
> Regards,
> Vinay Patil
>
> On Wed, Mar 28, 2018 at 3:53 PM, Greg Hogan wrote:
>
>> With the current method you always have the risk, no matter which
>> keywords you filter on ("secret", "password", etc.), that the key name is
>> mistyped and inadvertently logged.
>>
>> Perhaps we could implement something like TravisCI's encryption keys [
>> https://docs.travis-ci.com/user/encryption-keys/] at a cost of added
>> complexity.
>>
>> On Wed, Mar 28, 2018 at 4:38 PM, Vinay Patil
>> wrote:
>>
>>> Hi,
>>>
>>> I see plain text SSL passwords in log file (printed by
>>> GlobalConfiguration) , because of which we cannot deploy our pipeline to NR
>>> environment.
>>>
>>> I am able to avoid this by having ERROR log level for this class but the
>>> security team still think it is a risk.
>>>
>>> Is this taken care in the new release ? (I am using Flink 1.3.2)
>>>
>>> Regards,
>>> Vinay Patil
>>>
>>
>>
>
Re: Plain text SSL passwords in Log file
Hi Greg,
I am not concerned with flink-conf.yaml file, we have taken care of the
passwords there by replacing them with placeholders. We are picking the
passwords from our vault.
The main issue is that Flink is printing these passwords in plain text in
log file. It should be simple check to not print the ssl passwords .
Regards,
Vinay Patil
On Wed, Mar 28, 2018 at 3:53 PM, Greg Hogan wrote:
> With the current method you always have the risk, no matter which keywords
> you filter on ("secret", "password", etc.), that the key name is mistyped
> and inadvertently logged.
>
> Perhaps we could implement something like TravisCI's encryption keys [
> https://docs.travis-ci.com/user/encryption-keys/] at a cost of added
> complexity.
>
> On Wed, Mar 28, 2018 at 4:38 PM, Vinay Patil
> wrote:
>
>> Hi,
>>
>> I see plain text SSL passwords in log file (printed by
>> GlobalConfiguration) , because of which we cannot deploy our pipeline to NR
>> environment.
>>
>> I am able to avoid this by having ERROR log level for this class but the
>> security team still think it is a risk.
>>
>> Is this taken care in the new release ? (I am using Flink 1.3.2)
>>
>> Regards,
>> Vinay Patil
>>
>
>
Re: Plain text SSL passwords in Log file
With the current method you always have the risk, no matter which keywords
you filter on ("secret", "password", etc.), that the key name is mistyped
and inadvertently logged.
Perhaps we could implement something like TravisCI's encryption keys [
https://docs.travis-ci.com/user/encryption-keys/] at a cost of added
complexity.
On Wed, Mar 28, 2018 at 4:38 PM, Vinay Patil
wrote:
> Hi,
>
> I see plain text SSL passwords in log file (printed by
> GlobalConfiguration) , because of which we cannot deploy our pipeline to NR
> environment.
>
> I am able to avoid this by having ERROR log level for this class but the
> security team still think it is a risk.
>
> Is this taken care in the new release ? (I am using Flink 1.3.2)
>
> Regards,
> Vinay Patil
>
Plain text SSL passwords in Log file
Hi, I see plain text SSL passwords in log file (printed by GlobalConfiguration) , because of which we cannot deploy our pipeline to NR environment. I am able to avoid this by having ERROR log level for this class but the security team still think it is a risk. Is this taken care in the new release ? (I am using Flink 1.3.2) Regards, Vinay Patil
