Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

br: redact secret strings when logging arguments #57593

Merged
merged 1 commit into from
Nov 21, 2024
Merged

br: redact secret strings when logging arguments #57593

merged 1 commit into from
Nov 21, 2024

Conversation

kennytm
Copy link
Contributor

@kennytm kennytm commented Nov 21, 2024

What problem does this PR solve?

Issue Number: close #57585

Problem Summary: Some values from the command line are not properly redacted.

What changed and how does it work?

In additional to the existing handling for --storage, we also apply redaction to the following parameters:

  • --full-backup-storage
  • --crypter.key
  • --log.crypter.key
  • --azblob.encryption-key
  • --master-key (the current implementation of this may be too conservative)

Check List

Tests

  • Unit test
  • Integration test
  • Manual test (add detailed scripts or steps below)
  • No need to test
    • I checked and no code files have been changed.

Side effects

  • Performance regression: Consumes more CPU
  • Performance regression: Consumes more Memory
  • Breaking backward compatibility

Documentation

  • Affects user behaviors
  • Contains syntax changes
  • Contains variable changes
  • Contains experimental features
  • Changes MySQL compatibility

Release note

Please refer to Release Notes Language Style Guide to write a quality release note.

When invoking BR in command line with secret keys passed directly from arguments, they are no longer printed as plaintext in the log.

@ti-chi-bot ti-chi-bot bot added do-not-merge/needs-triage-completed release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 21, 2024
@tiprow tiprow
Copy link

tiprow bot commented Nov 21, 2024

Hi @kennytm. Thanks for your PR.

PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test all.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kennytm kennytm added type/bugfix This PR fixes a bug. component/br This issue is related to BR of TiDB. needs-cherry-pick-release-6.1 Should cherry pick this PR to release-6.1 branch. needs-cherry-pick-release-6.5 Should cherry pick this PR to release-6.5 branch. needs-cherry-pick-release-7.1 Should cherry pick this PR to release-7.1 branch. needs-cherry-pick-release-7.5 Should cherry pick this PR to release-7.5 branch. needs-cherry-pick-release-8.1 Should cherry pick this PR to release-8.1 branch. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 21, 2024
@kennytm kennytm force-pushed the issue-57585-redact-more-fields branch from dc659aa to 6d0f592 Compare November 21, 2024 09:42
@ti-chi-bot ti-chi-bot bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Nov 21, 2024
@codecov Codecov
Copy link

codecov bot commented Nov 21, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.5370%. Comparing base (c091dba) to head (6d0f592).
Report is 9 commits behind head on master.

Additional details and impacted files 
@@               Coverage Diff                @@
##             master     #57593        +/-   ##
================================================
+ Coverage   72.8033%   74.5370%   +1.7336%     
================================================
  Files          1676       1691        +15     
  Lines        463631     463740       +109     
================================================
+ Hits         337539     345658      +8119     
+ Misses       105278      96607      -8671     
- Partials      20814      21475       +661
Flag Coverage Δ
integration 46.5600% <100.0000%> (?)
unit 72.2263% <0.0000%> (+0.0333%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
dumpling 52.7673% <ø> (ø)
parser ∅ <ø> (∅)
br 61.0088% <100.0000%> (+15.5583%) ⬆️
---- 🚨 Try these New Features:

@kennytm kennytm added the needs-cherry-pick-release-8.5 Should cherry pick this PR to release-8.5 branch. label Nov 21, 2024
@ti-chi-bot ti-chi-bot bot added approved needs-1-more-lgtm Indicates a PR needs 1 more LGTM. and removed do-not-merge/needs-triage-completed labels Nov 21, 2024
@ti-chi-bot ti-chi-bot
Copy link

ti-chi-bot bot commented Nov 21, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 3pointer, BornChanger

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ti-chi-bot ti-chi-bot bot added lgtm and removed needs-1-more-lgtm Indicates a PR needs 1 more LGTM. labels Nov 21, 2024
@ti-chi-bot ti-chi-bot
Copy link

ti-chi-bot bot commented Nov 21, 2024

[LGTM Timeline notifier]

Timeline:

  • 2024-11-21 10:21:00.580481009 +0000 UTC m=+113448.200135524: ☑️ agreed by BornChanger.
  • 2024-11-21 10:25:46.527449073 +0000 UTC m=+113734.147103585: ☑️ agreed by 3pointer.

@ti-chi-bot ti-chi-bot bot merged commit fe1b9ed into pingcap:master Nov 21, 2024
36 of 41 checks passed
@ti-chi-bot
Copy link
Member

In response to a cherrypick label: new pull request created to branch release-6.5: #57601.

@ti-chi-bot ti-chi-bot mentioned this pull request Nov 21, 2024
Open
13 tasks
@ti-chi-bot
Copy link
Member

In response to a cherrypick label: new pull request created to branch release-7.1: #57602.

@ti-chi-bot ti-chi-bot mentioned this pull request Nov 21, 2024
Open
13 tasks
@ti-chi-bot
Copy link
Member

In response to a cherrypick label: new pull request created to branch release-7.5: #57603.

@ti-chi-bot ti-chi-bot mentioned this pull request Nov 21, 2024
Open
13 tasks
@ti-chi-bot
Copy link
Member

In response to a cherrypick label: new pull request created to branch release-8.1: #57604.

@ti-chi-bot ti-chi-bot mentioned this pull request Nov 21, 2024
Open
13 tasks
@ti-chi-bot
Copy link
Member

In response to a cherrypick label: new pull request created to branch release-8.5: #57605.

@ti-chi-bot ti-chi-bot mentioned this pull request Nov 21, 2024
Merged
13 tasks
@ti-chi-bot
Copy link
Member

In response to a cherrypick label: new pull request created to branch release-6.1: #57606.

@ti-chi-bot ti-chi-bot mentioned this pull request Nov 21, 2024
Open
13 tasks
@kennytm kennytm deleted the issue-57585-redact-more-fields branch November 21, 2024 13:35
@Tristan1900 Tristan1900 mentioned this pull request Nov 21, 2024
Open
ti-chi-bot bot pushed a commit that referenced this pull request Nov 22, 2024
@ti-chi-bot
br: redact secret strings when logging arguments (#57593) (#57605)
de49db5 
close #57585
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BornChanger BornChanger BornChanger approved these changes

@3pointer 3pointer 3pointer approved these changes

Assignees
No one assigned
Labels
approved component/br This issue is related to BR of TiDB. lgtm needs-cherry-pick-release-6.1 Should cherry pick this PR to release-6.1 branch. needs-cherry-pick-release-6.5 Should cherry pick this PR to release-6.5 branch. needs-cherry-pick-release-7.1 Should cherry pick this PR to release-7.1 branch. needs-cherry-pick-release-7.5 Should cherry pick this PR to release-7.5 branch. needs-cherry-pick-release-8.1 Should cherry pick this PR to release-8.1 branch. needs-cherry-pick-release-8.5 Should cherry pick this PR to release-8.5 branch. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. type/bugfix This PR fixes a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

BR: --crypter.key & --full-backup-storage are not redacted from the log
4 participants
@kennytm @ti-chi-bot @3pointer @BornChanger