flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-10363) S3 FileSystem factory prints secrets into logs
Date Thu, 20 Sep 2018 16:08:00 GMT

    [ https://issues.apache.org/jira/browse/FLINK-10363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16622263#comment-16622263
] 

Steve Loughran commented on FLINK-10363:
----------------------------------------

Stephan: we went to a lot of effort to not log AWS secrets in the S3A code. Tell me you haven't
been printing them.

FWIW, all the sensitive values are listed here: https://github.com/steveloughran/cloudstore/blob/master/src/main/java/org/apache/hadoop/fs/store/diag/S3ADiagnosticsInfo.java#L40

if anyone puts user:pass in the URL then even the path becomes sensitive, which is why users
are told off for doing that, and why the feature has finally been turned off.

> S3 FileSystem factory prints secrets into logs
> ----------------------------------------------
>
>                 Key: FLINK-10363
>                 URL: https://issues.apache.org/jira/browse/FLINK-10363
>             Project: Flink
>          Issue Type: Bug
>          Components: FileSystem
>            Reporter: Stephan Ewen
>            Assignee: Stephan Ewen
>            Priority: Critical
>             Fix For: 1.7.0, 1.6.2
>
>
> The file system factory logs all values it applies from the flink configuration.
> That frequently includes access keys, which should not leak into logs.
> The loader should only log the keys, not the values.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message