New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hubble: Conditionally redact user info present in URLs in (L7) HTTP flows #28848
Conversation
152fdcd
to
dc17775
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! I second @tommyp1ckles'c concerns about un-idomatic variable names (_url
vs url_
), but besides that the changes look good to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One docs nit, and echoing @tommyp1ckles comment about the var names.
Everything looks good on my end, just waiting Re: moving the helm change to a separate PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, looks good
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, thanks @ioandr. Can you squash the fixups into a single commit?
Add business logic to L7 HTTP parser to conditionally redact sensitive user info (e.g., password used in basic authentication) when present in observed URLs. * Add the '--hubble-redact-http-userinfo' option to the Cilium CLI. Preserve existing functionality by setting it to true by default. * Add unit tests to verify that password in observed URL is redacted. * Fix issue in L7 HTTP parser where sensitive values were redacted in (L7) HTTP flows, but not in (L7) HTTP summaries. * Update documentation as needed. * Update Helm chart templates, values and docs as needed. Closes cilium#23887 Signed-off-by: Ioannis Androulidakis <androulidakis.ioannis@gmail.com>
Sure, will do. Thanks! |
fba2b58
to
11b31b0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks!
/test |
@asauber kind reminder for another approval here 🤗 |
This PR deals with the first (and last remaining) item listed in #23887 (comment):
More specifically:
Add business logic to the (L7) HTTP parser to conditionally redact sensitive user info that is potentially present in observed URLs (e.g., a password that is used in basic authentication) based on Hubble's configuration.
Extend the Cilium CLI with the
--hubble-redact-http-userinfo
option and update Cilium's Helm chart, templates and docs as needed.Set the default value of this option to
true
to preserve existing functionality.Extend test suite to check whether password observed in URL is redacted.
Fix issue in L7 HTTP parser where sensitive values were redacted in (L7) HTTP flows, but not in (L7) HTTP summaries.
NOTE
This PR is also related to #28798 where we investigate why the
user:pass@
part of a URL is not observed by Hubble. To overcome this and test this PR for now, one can "short-circuit" Cilium's Envoy to always include theuser:pass@
part in observed URLs by modifying https://github.com/cilium/cilium/blob/main/pkg/envoy/accesslog.go#L19 as follows:Closes #23887