New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redact the API secret for Confluent Cloud sinks from show jobs output #113503
Comments
cc @cockroachdb/cdc |
It looks like the api_key and api_secret do not show up if we create an external connection before creating the changefeed. But it does show up if we create the changefeed using sinkURI directly.
does not show secrets
But it does show up if we create changefeed using the sinkURI directly.
does not redact secrets
Is this the intended behaviour or should we redact api_secret?
|
115535: changefeedccl: redact user-sensitive info from SHOW JOBS output r=jayshrivastava a=wenyihu6 Previously, `SHOW CHANGEFEED JOB` revealed sensitive user data like `api_secret` for confluent cloud sinks. This patch now redacts `api_secret`, `sasl_password`, `client_cert`, and `ca_cert` in the job description and sinkURI output column. Fixes: #113503 Release note (enterprise change): SHOW CHANGEFEED JOB, SHOW CHANGEFEED JOBS, and SHOW JOBS no longer expose user sensitive infromation(`api_secret`, `sasl_password`, `client_cert`, and `ca_cert`) in the job description and sinkURI output column would reveal sensitive user information (api_secret, sasl_password, client_cert, ca_cert). 115554: schemafeed: bump size of test r=rail a=rickystewart This timed out in CI. https://teamcity.cockroachdb.com/buildConfiguration/Cockroach_Ci_TestsGcpLinuxX8664BigVm_CclUnitTests/12973040?hideProblemsFromDependencies=false&hideTestsFromDependencies=false&expandBuildChangesSection=true&expandBuildDeploymentsSection=true&expandBuildProblemsSection=true&expandBuildTestsSection=true Epic: none Release note: None 115557: stress: re-set GITHUB_API_TOKEN r=rail a=rickystewart This change was made accidentally in #114681. Epic: CRDB-8308 Release note: None Co-authored-by: Wenyi Hu <wenyi@cockroachlabs.com> Co-authored-by: Ricky Stewart <ricky@cockroachlabs.com>
Previously, `SHOW CHANGEFEED JOB` revealed sensitive user data like `api_secret` for confluent cloud sinks. This patch now redacts `api_secret`, `sasl_password`, `client_cert`, and `ca_cert` in the job description and sinkURI output column. Fixes: #113503 Release note (enterprise change): SHOW CHANGEFEED JOB, SHOW CHANGEFEED JOBS, and SHOW JOBS no longer expose user sensitive infromation(`api_secret`, `sasl_password`, `client_cert`, and `ca_cert`) in the job description and sinkURI output column would reveal sensitive user information (api_secret, sasl_password, client_cert, ca_cert).
Describe the problem
When you run
SHOW CHANGEFEED JOB {job id};
on a changefeed to aconfluent-cloud
sink, the API secret is not redacted in theSHOW
output. This is also the case for regularSHOW JOBS
.To Reproduce
SHOW CHANGEFEED JOB
on that changefeed job.Expected behavior
The
api_secret
parameter value is redacted for aSHOW
command.CockroachDB v23.2.0-alpha.4
Jira issue: CRDB-33028
The text was updated successfully, but these errors were encountered: