Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mask password in mountOptions #37

Closed
andyzhangx opened this issue Jun 24, 2020 · 2 comments
Closed

mask password in mountOptions #37

andyzhangx opened this issue Jun 24, 2020 · 2 comments
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/bug Categorizes issue or PR as related to a bug.

Comments

@andyzhangx
Copy link
Member

andyzhangx commented Jun 24, 2020
edited

What happened:
Currently csi driver node logs would print out mountOptions, while it may contain password, e.g.
https://github.com/kubernetes-csi/csi-driver-smb/blob/master/deploy/example/logs/csi-smb-node.log#L40

mountOptions([dir_mode=0777 file_mode=0777 username=f8471372a68594910913ed4,password=...YGisUKDE3axDL6x1KyEj9j9PrUp0Yd7U/WbZ0Ip1uluWQr8FSkFgQhIO6fhaCGKd+aJSCrnTgR3m99OMQ== vers=3.0])
I0510 03:32:39.318471       1 nodeserver.go:193] volume(arbitrary-volumeid) mount "//f8471372a68594910913ed4.file.core.windows.net/kubernetes-dynamic-pvc-687cfca7-4880-4dbc-9daa-be4bc39b8eaa" on "/var/lib/kubelet/plugins/kubernetes.io/csi/pv/pv-smb/globalmount" succeeded
I0510 03:32:39.318497       1 utils.go:118] GRPC response: 
I0510 03:32:39.324390       1 utils.go:111] GRPC call: /csi.v1.Node/NodeGetCapabilities
I0510 03:32:39.324404       1 utils.go:112] GRPC request:

Related code is here:

csi-driver-smb/pkg/smb/nodeserver.go

Lines 183 to 184 in 1afa2fa

klog.V(2).Infof("targetPath(%v) volumeID(%v) context(%v) mountflags(%v) mountOptions(%v)",
targetPath, volumeID, context, mountFlags, mountOptions)

What you expected to happen:
Use similar way here to only mask password by a common function, e.g.

  • MaskFieldValue(mountOptions, field string) string, the output could be [dir_mode=0777 file_mode=0777 username=f8471372a68594910913ed4,password=*** vers=3.0

csi-driver-smb/pkg/smb/nodeserver.go

Lines 123 to 125 in 1afa2fa

var reqSecretsRegex, _ = regexp.Compile(`map\[password:.*? `)
s := fmt.Sprintf("NodeStageVolume called with request %v", *req)
klog.V(5).Info(reqSecretsRegex.ReplaceAllString(s, "map[password:**** "))

How to reproduce it:

Anything else we need to know?:

Environment:

  • CSI Driver version:
  • Kubernetes version (use kubectl version):
  • OS (e.g. from /etc/os-release):
  • Kernel (e.g. uname -a):
  • Install tools:
  • Others:
@andyzhangx andyzhangx added kind/bug Categorizes issue or PR as related to a bug. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels Jun 24, 2020
@andyzhangx
Copy link
Member Author

there is also a similar mask function as this:
https://github.com/kubernetes-sigs/azurefile-csi-driver/blob/f81d61bb5419ccf65d4a360b5dad026792b31ee7/pkg/csi-common/utils.go#L105-L120

need to wrap a common function to make it more common

@animeshk08

@andyzhangx
Copy link
Member Author

not an issue now

[pod/csi-smb-node-px786/smb] I0822 12:51:08.447031       1 mount_linux.go:146] Mounting cmd (mount) with arguments (-t cifs -o dir_mode=0777,file_mode=0777,uid=0,gid=0,mfsymlinks,cache=strict,nosharesock,<masked> //smb-server.default.svc.cluster.local/share /var/lib/kubelet/plugins/kubernetes.io/csi/pv/pvc-e38070e7-08da-417b-863f-30e0d415e517/globalmount)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@andyzhangx