Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(standalone): hide etcd password in logs #13034

Merged
merged 3 commits into from
Oct 26, 2023
Merged

Conversation

kwannoel
Copy link
Contributor

@kwannoel kwannoel commented Oct 24, 2023

I hereby agree to the terms of the RisingWave Labs, Inc. Contributor License Agreement.

What's changed and what's your intention?

Fixes #13005.

A quick hack to hide the pwd, without having to introduce a full custom display trait.

Hides the etcd password by wrapping the field in redact::Secret.

Checklist

  • I have written necessary rustdoc comments
  • I have added necessary unit tests and integration tests
  • I have added fuzzing tests or opened an issue to track them. (Optional, recommended for new SQL features Sqlsmith: Sql feature generation #7934).
  • My PR contains breaking changes. (If it deprecates some features, please create a tracking issue to remove them in the future).
  • All checks passed in ./risedev check (or alias, ./risedev c)
  • My PR changes performance-critical code. (Please run macro/micro-benchmarks and show the results.)
  • My PR contains critical fixes that are necessary to be merged into the latest release. (Please check out the details)

Documentation

  • My PR needs documentation updates. (Please use the Release note section below to summarize the impact on users)

Release note

If this PR includes changes that directly affect users or other significant modifications relevant to the community, kindly draft a release note to provide a concise summary of these changes. Please prioritize highlighting the impact these changes will have on users.

@kwannoel kwannoel requested review from arkbriar and xxchan October 24, 2023 11:15
@github-actions github-actions bot added the type/fix Bug fix label Oct 24, 2023
@kwannoel kwannoel requested a review from xiangjinwu October 24, 2023 11:15
@codecov
Copy link

codecov bot commented Oct 24, 2023

Codecov Report

Merging #13034 (828d22a) into main (d6e5bec) will decrease coverage by 0.01%.
Report is 1 commits behind head on main.
The diff coverage is 37.50%.

@@            Coverage Diff             @@
##             main   #13034      +/-   ##
==========================================
- Coverage   68.23%   68.23%   -0.01%     
==========================================
  Files        1499     1499              
  Lines      252493   252496       +3     
==========================================
- Hits       172301   172295       -6     
- Misses      80192    80201       +9     
Flag Coverage Δ
rust 68.23% <37.50%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Coverage Δ
src/cmd_all/src/standalone.rs 77.03% <100.00%> (ø)
src/meta/node/src/lib.rs 1.33% <0.00%> (-0.03%) ⬇️

... and 7 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@kwannoel kwannoel requested a review from a team as a code owner October 26, 2023 08:37
@kwannoel kwannoel requested review from xxchan and BugenZhao October 26, 2023 08:37
true => Some((opts.etcd_username, opts.etcd_password)),
true => Some((
opts.etcd_username,
opts.etcd_password.expose_secret().to_string(),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm, I feel ideally we should make all the intermediate stuff Secret, and reveal secret until we have to. Just checked MetaStoreBackend also #[derive(Debug)]. 🤣

Just raise this point. Not a hard requirement for now.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gitguardian
Copy link

gitguardian bot commented Oct 26, 2023

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request
GitGuardian id Secret Commit Filename
7648795 Generic CLI Secret 828d22a integration_tests/iceberg-cdc/run_test.sh View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secret safely. Learn here the best practices.
  3. Revoke and rotate this secret.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

Our GitHub checks need improvements? Share your feedbacks!

@kwannoel kwannoel enabled auto-merge October 26, 2023 09:17
@kwannoel kwannoel added this pull request to the merge queue Oct 26, 2023
@BugenZhao BugenZhao changed the title fix(standalone): hide etcd pwd in logs fix(standalone): hide etcd password in logs Oct 26, 2023
Merged via the queue into main with commit de8d217 Oct 26, 2023
11 of 13 checks passed
@kwannoel kwannoel deleted the kwannoel/print-failed-mv branch October 26, 2023 11:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type/fix Bug fix
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Hide the value of --etcd-password when starting meta node with arguments
4 participants