Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure sensitive config values for redaction #3378

Merged
merged 1 commit into from Feb 23, 2021
Merged

Configure sensitive config values for redaction #3378

merged 1 commit into from Feb 23, 2021

Conversation

jaydoane
Copy link
Contributor

Overview

This defines a configuration file which specifies sections and fields
for config values that are redacted from logs. Specifically, all
values from the "admins" section and the value of "password" in the
"replicator" section are redacted.

Testing recommendations

This must be tested with its companion PR below.

In a remsh, set an admin password: config:set("admins", "admin1", "secretpassword")., and then reload: config:reload(). and you should see the following redactions in the log:

[notice] 2021-02-20T06:16:30.672944Z node1@127.0.0.1 <0.196.0> -------- config: [admins] admin1 set to '****' for reason nil
[notice] 2021-02-20T06:17:13.720003Z node1@127.0.0.1 <0.196.0> -------- Reload detected config change admins.admin1 = '****'

Related Issues or Pull Requests

apache/couchdb-config#35

Checklist

  • Code is written and works correctly
  • Changes are covered by tests
  • Any new configurable parameters are documented in rel/overlay/etc/default.ini
  • A PR for documentation changes has been made in https://github.com/apache/couchdb-documentation

@jaydoane
Configure sensitive config values for redaction
e51228e 
This defines a configuration file which specifies sections and fields
for config values that are redacted from logs. Specifically, all
values from the "admins" section and the value of "password" in the
"replicator" section are redacted.
@jaydoane jaydoane mentioned this pull request Feb 22, 2021
Merged
iilyak
iilyak approved these changes Feb 22, 2021
View reviewed changes
Copy link
Contributor

@iilyak iilyak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@iilyak
Copy link
Contributor

iilyak commented Feb 22, 2021

The testing instructions are a bit incorrect. The reload event can be tested using the following steps:

  1. set an admin password: config:set("admins", "admin1", "secretpassword").
  2. manually change one of the digits corresponding to hash of pass for admin1 in dev/lib/node1/etc/local.ini
  3. config:reload().

@jaydoane jaydoane merged commit c0ae076 into 3.x Feb 23, 2021
@jaydoane jaydoane deleted the sensitive-config branch February 23, 2021 17:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iilyak iilyak iilyak approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jaydoane @iilyak