Comments (2)
Hello @wasim-nihal!
I'd like to introduce a new boolean flag maskUsernameFlags which when set to true will mask the content of such flags and just print secret.
If those flags are URLs, we may not have that much control over what is printed. If the URL is passed to Go standard lib function (like http.Do()
) then returned error may contain the full unmasked URL. The caller of this function won't be able to detect this without adding some type of parser for checking error messages for sensitive info. This might complicate the code, introduce a lot of changes for little gains.
Have you considered adding such sanitizations to logs collector/driver instead?
from victoriametrics.
Hi @hagen1778, I do not fully understand on how username flags can be passed as URLs. What I intended here is not to support the configuration of username flags as URLs (unlike password where we can give http://).
Instead, the proposed change is just to mask the flags from the logs similar to those below. Here if we see, httpAuth.password gets logged as secret
whereas httpAuth.username gets logged as plain text.
$ ./victoria-metrics --httpAuth.username=hello --httpAuth.password=world
2024-04-24T06:00:07.506Z info /mnt/c/oss/VictoriaMetrics-VictoriaMetrics/lib/logger/flag.go:12 build version: victoria-metrics-20240402-115328-heads-master-0-gdaa1326b9-dirty-e12c1b95
2024-04-24T06:00:07.515Z info /mnt/c/oss/VictoriaMetrics-VictoriaMetrics/lib/logger/flag.go:13 command-line flags
2024-04-24T06:00:07.515Z info /mnt/c/oss/VictoriaMetrics-VictoriaMetrics/lib/logger/flag.go:20 -httpAuth.password="secret"
2024-04-24T06:00:07.517Z info /mnt/c/oss/VictoriaMetrics-VictoriaMetrics/lib/logger/flag.go:20 -httpAuth.username="hello"
$ ./vmagent -remoteWrite.url=https://127.0.0.1:8428/api/v1/write -remoteWrite.basicAuth.username=hello -remoteWrite.basicAuth.password=world -promscrape.config=./prom.yaml
2024-04-24T06:40:40.405Z info /mnt/c/oss/VictoriaMetrics-VictoriaMetrics/lib/logger/flag.go:12 build version: vmagent-20240424-062430-heads-vmbackup-secure-url-0-g3445ee396-dirty-d8b89610
2024-04-24T06:40:40.406Z info /mnt/c/oss/VictoriaMetrics-VictoriaMetrics/lib/logger/flag.go:13 command-line flags
2024-04-24T06:40:40.406Z info /mnt/c/oss/VictoriaMetrics-VictoriaMetrics/lib/logger/flag.go:20 -promscrape.config="./prom.yaml"
2024-04-24T06:40:40.406Z info /mnt/c/oss/VictoriaMetrics-VictoriaMetrics/lib/logger/flag.go:20 -remoteWrite.basicAuth.password="secret"
2024-04-24T06:40:40.406Z info /mnt/c/oss/VictoriaMetrics-VictoriaMetrics/lib/logger/flag.go:20 -remoteWrite.basicAuth.username="hello"
So, to mask such username flags at startup, the proposed solution is as follows to the file VictoriaMetrics/lib/flagutil/secret.go
var maskUsernameFlags= flag.Bool("maskUsernameFlags", false, "Whether to mask flags related to username from logs")
// IsSecretFlag returns true of s contains flag name with secret value, which shouldn't be exposed.
func IsSecretFlag(s string) bool {
if strings.Contains(s, "pass") || strings.Contains(s, "key") || strings.Contains(s, "secret") || strings.Contains(s, "token") {
return true
}
if *maskUsernameFlags && strings.Contains(s, "username"){
return true
}
return secretFlags[s]
}
Please let me know if my understanding is not right.
from victoriametrics.
Related Issues (20)
- vmalert: failed to send alerts to addr ... invalid SC 201 HOT 6
- vmselect pod restarting HOT 3
- High Storage connection saturation HOT 14
- feat: vmagent: auto metrics for the size of scraped body
- No -cluster tag for v1.97.3 LTS release HOT 5
- "go back" button in browser doesn't work properly with VMUI HOT 1
- VictoriaLogs: how to get all fields name, how to get log rows count, how to know get storage usage and disk compress ratio? HOT 3
- vmauth doesn't help spreading loads for vminsert instances HOT 2
- vmagent: Potential drop of incorrect persistence queue when removing remotewrite URL HOT 3
- Add Read Usage Statistic on Cardinality Explorer page
- vmagateway: ingestion stops if qps limit reached HOT 1
- vmui: auto-complete doesn't work properly after `{` if there is no metric name in front of `{`
- vmagent metrics per (scrape) job
- Enhancement to search.maxUniqueTimeseries and indexdb population for long interval time series
- vmbackup httpAuth 401 HOT 4
- Slow inserts remain high, although the churn rate and the number of active series have decreased HOT 15
- vm-select: add http header log when query error or slow query occurs HOT 2
- rate() and irate() issues on constant data
- Proposal: Introducing end-to-end test for each vm component
- vmui: query trace fails to expand on mouse click
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from victoriametrics.