Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

release-23.2: changefeedccl: redact user-sensitive info from SHOW JOBS output #115567

Merged
merged 1 commit into from Dec 6, 2023
Merged

release-23.2: changefeedccl: redact user-sensitive info from SHOW JOBS output #115567

merged 1 commit into from Dec 6, 2023

Conversation

blathers-crl[bot]
Copy link

@blathers-crl blathers-crl bot commented Dec 4, 2023
edited by wenyihu6

Backport 1/1 commits from #115535 on behalf of @wenyihu6.

/cc @cockroachdb/release

Previously, SHOW CHANGEFEED JOB revealed sensitive user data like api_secret
for confluent cloud sinks. This patch now redacts api_secret, sasl_password,
client_cert, and ca_cert in the job description and sinkURI output column.

Fixes: #113503

Release note (enterprise change): SHOW CHANGEFEED JOB, SHOW CHANGEFEED JOBS,
and SHOW JOBS no longer expose user sensitive infromation(api_secret,
sasl_password, client_cert, and ca_cert) in the job description and
sinkURI output column would reveal sensitive user information (api_secret,
sasl_password, client_cert, ca_cert).

Release justification: low risk fix for a bug to redact user-sensitive info for SQL output

@wenyihu6
changefeedccl: redact user-sensitive info from SHOW JOBS output
da52700 
Previously, `SHOW CHANGEFEED JOB` revealed sensitive user data like `api_secret`
for confluent cloud sinks. This patch now redacts `api_secret`, `sasl_password`,
`client_cert`, and `ca_cert` in the job description and sinkURI output column.

Fixes: #113503

Release note (enterprise change): SHOW CHANGEFEED JOB,  SHOW CHANGEFEED JOBS,
and SHOW JOBS no longer expose user sensitive infromation(`api_secret`,
`sasl_password`, `client_cert`, and `ca_cert`) in the job description and
sinkURI output column would reveal sensitive user information (api_secret,
sasl_password, client_cert, ca_cert).
@blathers-crl blathers-crl bot requested a review from a team as a code owner December 4, 2023 22:09
@blathers-crl blathers-crl bot force-pushed the blathers/backport-release-23.2-115535 branch from 5b7ff25 to f67afb2 Compare December 4, 2023 22:09
@blathers-crl blathers-crl bot requested review from jayshrivastava and removed request for a team December 4, 2023 22:09
@blathers-crl blathers-crl bot added blathers-backport This is a backport that Blathers created automatically. O-robot Originated from a bot. labels Dec 4, 2023
@blathers-crl blathers-crl bot force-pushed the blathers/backport-release-23.2-115535 branch from f7301fc to da52700 Compare December 4, 2023 22:09
@blathers-crl blathers[crl]
Copy link
Author

blathers-crl bot commented Dec 4, 2023
edited by wenyihu6

Thanks for opening a backport.

Please check the backport criteria before merging:

  • Backports should only be created for serious
    issues     or test-only changes.
  • Backports should not break backwards-compatibility.
  • Backports should change as little code as possible.
  • Backports should not change on-disk formats or node communication protocols.
  • Backports should not add new functionality (except as defined
    here).
  • Backports must not add, edit, or otherwise modify cluster versions; or add version gates.
  • All backports must be reviewed by the owning areas TL and one additional
    TL. For more information as to how that review should be conducted, please consult the backport
    policy    .
If your backport adds new functionality, please ensure that the following additional criteria are satisfied:
  • There is a high priority need for the functionality that cannot wait until the next release and is difficult to address in another way.
  • The new functionality is additive-only and only runs for clusters which have specifically “opted in” to it (e.g. by a cluster setting).
  • New code is protected by a conditional check that is trivial to verify and ensures that it only runs for opt-in clusters. State changes must be further protected such that nodes running old binaries will not be negatively impacted by the new state (with a mixed version test added).
  • The PM and TL on the team that owns the changed code have signed off that the change obeys the above rules.
  • Your backport must be accompanied by a post to the appropriate Slack
    channel (#db-backports-point-releases or #db-backports-XX-X-release) for awareness and discussion.

Also, please add a brief release justification to the body of your PR to justify this
backport.

@blathers-crl blathers-crl bot added the backport Label PR's that are backports to older release branches label Dec 4, 2023
@cockroach-teamcity
Copy link
Member

This change is Reviewable

@wenyihu6
Copy link
Contributor

wenyihu6 commented Dec 5, 2023

Failure of TestSessionProtectedTimestampReconciler on Extended CI seems to be a known flake - pinged this flake on https://cockroachlabs.slack.com/archives/C04U1BTF8/p1699648868852389. Should be good for review ^

@nicktrav
Copy link
Collaborator

nicktrav commented Dec 5, 2023

EM LGTM ✅

@wenyihu6 wenyihu6 requested a review from dt December 5, 2023 17:52
@wenyihu6
Copy link
Contributor

wenyihu6 commented Dec 6, 2023

TFTRs!

@wenyihu6 wenyihu6 merged commit bccf65d into release-23.2 Dec 6, 2023
5 of 6 checks passed
@wenyihu6 wenyihu6 deleted the blathers/backport-release-23.2-115535 branch December 6, 2023 02:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dt dt dt approved these changes

@miretskiy miretskiy miretskiy approved these changes

@jayshrivastava jayshrivastava Awaiting requested review from jayshrivastava jayshrivastava is a code owner automatically assigned from cockroachdb/cdc-prs

@nicktrav nicktrav Awaiting requested review from nicktrav

Assignees

@wenyihu6 wenyihu6

Labels
backport Label PR's that are backports to older release branches blathers-backport This is a backport that Blathers created automatically. O-robot Originated from a bot.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@cockroach-teamcity @wenyihu6 @nicktrav @dt @miretskiy