Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redact sensitive values from config in health data #12421

Merged
merged 2 commits into from
Jun 3, 2021
Merged

Redact sensitive values from config in health data #12421

merged 2 commits into from
Jun 3, 2021

Conversation

anjalshireesh
Copy link
Contributor

Description

The health api returns the server configuration details. Redact
sensitive values from the config values like URLs and credentials.

Motivation and Context

Prevent sensitive info from leaking out through healthinfo api

How to test this PR?

  • Configure a bucket notification e.g. notify_webhook
  • Generate health report using mc admin subnet health {alias}
  • Verify that sensitve information like URLs/keys/certs are shown as *redacted* in the generated report

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Optimization (provides speedup with no functional changes)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • Fixes a regression (If yes, please add commit-id or PR # here)
  • Documentation updated
  • Unit tests added/updated

@anjalshireesh
Redact sensitive values from config in health data
3f21dd5 
The health api returns the server configuration details. Redact
sensitive values from the config values like URLs and credentials.
@minio-trusted
Copy link
Contributor

Mint Automation

Test Result
mint-large-bucket.sh ✔️
mint-fs.sh ✔️
mint-gateway-s3.sh ✔️
mint-erasure.sh ✔️
mint-dist-erasure.sh ✔️
mint-zoned.sh ✔️
mint-gateway-nas.sh ✔️
mint-compress-encrypt-dist-erasure.sh more...

12421-3f21dd5/mint-compress-encrypt-dist-erasure.sh.log:

Running with
SERVER_ENDPOINT:      minio-c3.minio.io:30279
ACCESS_KEY:           minio
SECRET_KEY:           ***REDACTED***
ENABLE_HTTPS:         0
SERVER_REGION:        us-east-1
MINT_DATA_DIR:        /mint/data
MINT_MODE:            full
ENABLE_VIRTUAL_STYLE: 0

To get logs, run 'docker cp 2aacf6781a3a:/mint/log /tmp/mint-logs'

(1/15) Running aws-sdk-go tests ... done in 1 seconds
(2/15) Running aws-sdk-java tests ... done in 2 seconds
(3/15) Running aws-sdk-php tests ... done in 43 seconds
(4/15) Running aws-sdk-ruby tests ... done in 3 seconds
(5/15) Running awscli tests ... done in 2 minutes and 12 seconds
(6/15) Running healthcheck tests ... done in 0 seconds
(7/15) Running mc tests ... done in 1 minutes and 0 seconds
(8/15) Running minio-dotnet tests ... done in 45 seconds
(9/15) Running minio-go tests ... done in 2 minutes and 0 seconds
(10/15) Running minio-java tests ... FAILED in 1 minutes and 25 seconds
{
  "name": "minio-java",
  "function": "composeObject()",
  "args": "[single source with offset]",
  "duration": 30,
  "status": "FAIL",
  "error": "error occurred\nErrorResponse(code = InvalidArgument, message = Range specified is not valid for source object, bucketName = minio-java-test-3eo2m72, objectName = minio-java-test-2ab04eu, resource = /minio-java-test-3eo2m72/minio-java-test-2ab04eu, requestId = 1684C8756127B347, hostId = 9f2ee140-1151-488b-b42d-d623a3259837)\nrequest={method=PUT, url=http://minio-c3.minio.io:30279/minio-java-test-3eo2m72/minio-java-test-2ab04eu?uploadId=7cecf3f4-d5a4-43a3-8e98-13c53a7a2af3&partNumber=1, headers=x-amz-copy-source: /minio-java-test-3eo2m72/minio-java-test-m5ei8t\nx-amz-copy-source-range: bytes=2048-1048575\nx-amz-copy-source-if-match: cb92d17a904ccec2e6e23b8bb66245fb\nHost: minio-c3.minio.io:30279\nAccept-Encoding: identity\nUser-Agent: MinIO (Linux; amd64) minio-java/8.0.3\nContent-MD5: 1B2M2Y8AsgTpgAmY7PhCfg==\nx-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\nx-amz-date: 20210602T135612Z\nAuthorization: AWS4-HMAC-SHA256 Credential=*REDACTED*/20210602/us-east-1/s3/aws4_request, SignedHeaders=content-md5;host;x-amz-content-sha256;x-amz-copy-source;x-amz-copy-source-if-match;x-amz-copy-source-range;x-amz-date, Signature=*REDACTED*\n}\nresponse={code=400, headers=Accept-Ranges: bytes\nContent-Length: 390\nContent-Security-Policy: block-all-mixed-content\nContent-Type: application/xml\nServer: MinIO\nVary: Origin\nX-Amz-Request-Id: 1684C8756127B347\nX-Xss-Protection: 1; mode=block\nDate: Wed, 02 Jun 2021 13:56:12 GMT\n}\n >>> [io.minio.MinioClient.execute(MinioClient.java:775), io.minio.MinioClient.uploadPartCopy(MinioClient.java:4804), io.minio.MinioClient.composeObject(MinioClient.java:1431), FunctionalTest.testComposeObject(FunctionalTest.java:2120), FunctionalTest.composeObjectTests(FunctionalTest.java:2145), FunctionalTest.composeObject(FunctionalTest.java:2300), FunctionalTest.runObjectTests(FunctionalTest.java:3758), FunctionalTest.runTests(FunctionalTest.java:3783), FunctionalTest.main(FunctionalTest.java:3927)]"
}
(10/15) Running minio-js tests ... done in 48 seconds
(11/15) Running minio-py tests ... done in 2 minutes and 44 seconds
(12/15) Running s3cmd tests ... done in 16 seconds
(13/15) Running s3select tests ... done in 7 seconds
(14/15) Running security tests ... done in 0 seconds

Executed 14 out of 15 tests successfully.

Deleting image on docker hub
Deleting image locally

@anjalshireesh anjalshireesh marked this pull request as ready for review June 2, 2021 16:31
harshavardhana
harshavardhana requested changes Jun 2, 2021
View reviewed changes
internal/config/config.go Outdated Show resolved Hide resolved
internal/config/config.go Outdated Show resolved Hide resolved
cmd/admin-handlers.go Outdated Show resolved Hide resolved
harshavardhana
harshavardhana approved these changes Jun 3, 2021
View reviewed changes
Copy link
Member

@harshavardhana harshavardhana left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM ❤️

klauspost
klauspost approved these changes Jun 3, 2021
View reviewed changes
Copy link
Contributor

@klauspost klauspost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! LGTM

@harshavardhana harshavardhana merged commit fb140c1 into minio:master Jun 3, 2021
@anjalshireesh anjalshireesh mentioned this pull request Jun 7, 2021
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@harshavardhana harshavardhana harshavardhana approved these changes

@klauspost klauspost klauspost approved these changes

@kannappanr kannappanr Awaiting requested review from kannappanr

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@anjalshireesh @minio-trusted @harshavardhana @klauspost