Scraping Service: basic_auth gets wiped by marshaling to YAML
#62
Labels
bug
Something isn't working
frozen-due-to-age
Locked due to a period of inactivity. Please open new issues or PRs if more discussion is needed.
Comments
rfratto
referenced
this issue
in rfratto/agent
May 8, 2020
The Bearer Token and Basic Auth Password for remote_write configs were not being stored or hashed properly; those values are of a Secret type that implements a custom yaml.Marshaler and removes the underlying secret value. So when configs were being stored in the KV store, the secrets were being removed and replaced with the text "<secret>". This caused agents who loaded the config to run an instance to use the wrong password. Hashing a config had the same problem; since the hash only marshaled a config to YAML, secrets were not being calculated properly with the hash. This commit fixes both problems; secrets are stored separately now in a raw string type and hashing adds the values for secrets before summing the input. Fixes #62.
rfratto
referenced
this issue
in rfratto/agent
May 8, 2020
The Bearer Token and Basic Auth Password for remote_write configs were not being stored or hashed properly; those values are of a Secret type that implements a custom yaml.Marshaler and removes the underlying secret value. So when configs were being stored in the KV store, the secrets were being removed and replaced with the text "<secret>". This caused agents who loaded the config to run an instance to use the wrong password. Hashing a config had the same problem; since the hash only marshaled a config to YAML, secrets were not being calculated properly with the hash. This commit fixes both problems; secrets are stored separately now in a raw string type and hashing adds the values for secrets before summing the input. Fixes #62.
rfratto
added a commit
that referenced
this issue
May 11, 2020
The Bearer Token and Basic Auth Password for remote_write configs were not being stored or hashed properly; those values are of a Secret type that implements a custom yaml.Marshaler and removes the underlying secret value. So when configs were being stored in the KV store, the secrets were being removed and replaced with the text "<secret>". This caused agents who loaded the config to run an instance to use the wrong password. Hashing a config had the same problem; since the hash only marshaled a config to YAML, secrets were not being calculated properly with the hash. This commit fixes both problems; secrets are stored separately now in a raw string type and hashing adds the values for secrets before summing the input. Fixes #62.
|
This isn't fixed. The YAML is being remarshaled all over the place, including from agentctl. This needs a more general solution. |
rfratto
referenced
this issue
in rfratto/agent
May 11, 2020
This commit completely removes the Secret type to allow RemoteWriteConfigs to be arbitrarily marshalled back and forth between YAML. Sanitization now happens on demand rather than being forced by the marshaling. Closes #62
rfratto
added a commit
that referenced
this issue
May 11, 2020
* Duplicate RemoteWriteConfig without the Secret type This commit completely removes the Secret type to allow RemoteWriteConfigs to be arbitrarily marshalled back and forth between YAML. Sanitization now happens on demand rather than being forced by the marshaling. Closes #62 * fix lint error
mattdurham
pushed a commit
that referenced
this issue
Nov 11, 2021
The Bearer Token and Basic Auth Password for remote_write configs were not being stored or hashed properly; those values are of a Secret type that implements a custom yaml.Marshaler and removes the underlying secret value. So when configs were being stored in the KV store, the secrets were being removed and replaced with the text "<secret>". This caused agents who loaded the config to run an instance to use the wrong password. Hashing a config had the same problem; since the hash only marshaled a config to YAML, secrets were not being calculated properly with the hash. This commit fixes both problems; secrets are stored separately now in a raw string type and hashing adds the values for secrets before summing the input. Fixes #62.
mattdurham
pushed a commit
that referenced
this issue
Nov 11, 2021
* Duplicate RemoteWriteConfig without the Secret type This commit completely removes the Secret type to allow RemoteWriteConfigs to be arbitrarily marshalled back and forth between YAML. Sanitization now happens on demand rather than being forced by the marshaling. Closes #62 * fix lint error
github-actions
bot
added
the
frozen-due-to-age
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Prometheus stores the
basic_authas aSecrettype which implementsyaml.Marshalerand always forces the string to be<secret>. This breaks the configuration storage.The
yamlCodecinpkg/prometheus/hashould wrap theinstance.Configtype and store secret values separately. The following are secrets:Note that for the same reason, hashing configs when detecting if configs changed is broken; the value being hashed is not the secret but rather the string
<secret>. To fix this, the secret values above should be added separately to the hashing function if they are non-nil and non-empty.The text was updated successfully, but these errors were encountered: