-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shovel URIs can be logged in crash.log by the runtime #2709
Comments
|
Related sections of
|
This is a case our team is aware of and has considered. #2056 addressed the problem for what is under our control: the Erlang client and Shovel worker, etc state when said state was successfully initialized. In your case the process never has a chance to actually initialize: it effectively immediately fails and that is logged by the runtime, which is why it shows up in the unhandled exception log, This is significantly less of a problem compared to what was covered in #2056: the cases where a process terminates for any reason after running for a period of time with valid credentials. Arguably when your Shovels have no chance of starting at all, you do want to see what credentials were used easily in the exception log. If you think about it, logging credentials known to be invalid in a separate log file is not going to present a practical problem. So such specific cases is not a priority for our team. However, RabbitMQ is open source software so if you feel particularly strongly about this specific scenario, you are welcome to contribute a solution similarly to how we did it in #2056. |
@michaelklishin I'm not familiar with your implementation, but I'm expecting RabbitMQ always uses URIs with encrypted passwords. Not "decrypted URIs everywhere, encrypt password only before logging (and sometimes it's not under your control)", |
Another example: [{"value":{"ack-mode":"on-confirm","dest-add-forward-headers":false,"dest-protocol":"amqp091","dest-queue":"x","dest-uri":"amqp://x:x@remotehost:5672","src-delete-after":"never","src-protocol":"amqp091","src-queue":"z","src-uri":"amqp://z:z@localhost:5672"},"vhost":"/","component":"shovel","name":"dummy"}]
2021-01-07 23:32:16 =SUPERVISOR REPORT==== Here the error is not |
And no, I never, never, never want to expose passwords in any logs, even on More than that, I think even http://localhost:15672/api/parameters/shovel must return URIs with encrypted passwords. |
As of #2056, the client used by Shovel and Federation encrypts credentials on init and decrypts them when they have to be used. If for any reason an exception is logged before the process had a chance to encrypt them, there is nothing that can be done to prevent the runtime from logging what's in the process state as part of an exception. When initial connection fails repeatedly, arguably you do want to see the exact process state. I don't have much to add: the automatic state logging is a runtime feature. RabbitMQ itself never logs credentials. #2056 has shipped with RabbitMQ 3.8 and the issue hasn't been brought up more than a couple of times since then (in over a year). To me this means that the vast majority of cases where credentials could be logged were covered. If there are cases that still need process state value encryption, you are welcome to contribute by following the examples in PRs referenced in #2056. RabbitMQ is open source software after all. |
@inikulshin there are no plans to make We appreciate your candid feedback on how you would like things to work but not everyone feels that way. Those who feel very strongly about a certain behavior are welcome to channel that energy into pull requests. |
You are right. But (imho) you can avoid [dumped] process state to contain plain passwords.
It depends on encryption algorithm. And I think, no one should be able to decrypt, except the shovel itself for authentication only. @michaelklishin I often disagree with you, but I really do appreciate the job you do (and your sophisticated sense of humor :) |
Avoiding exceptions is what rabbitmq/rabbitmq-shovel#65 did, at least for the most common cases. We'll try to reproduce what you see. A quick comparison suggests that Federation currently encrypts more of its state than Shovel. Whether other nodes or external tools can decrypt a certain value does not depend on the encryption algorithm. It depends on how the key pair was generated and is (or is not) distributed. I now recall that as of The keys that are used to encrypt process state values are not meant to be shared with external tools, so if we did export any data encrypted by said keys, no other tool would be able to decrypt them. |
Sorry to comment in such an old issue, first of all thanks for the amazing libraries! We are experiencing the issue of a crash leaking #3476 made the credentials obfuscated for We are using statically defined ones, started through
Am I correct on the interpretation? Is this a legit use case? Would a PR be welcome? |
Hi @danmarcab, thank you for using RabbitMQ and taking the time to report that issue. Please feel free to submit a PR to add obfuscation to static shovels. If you could also open a new issue with the details you provided, and link to it in your PR, that would be great. Thanks again. |
RabbitMQ 3.8.9, Erlang 22.1, Windows 10
http://localhost:15672/api/parameters/shovel
[{"value":{"ack-mode":"on-confirm","dest-add-forward-headers":false,"dest-protocol":"amqp091","dest-queue":"y","dest-uri":"amqp://y:y@localhost:5672","src-delete-after":"never","src-protocol":"amqp091","src-queue":"x","src-uri":"amqp://x:x@localhost:5672"},"vhost":"/","component":"shovel","name":"dummy"}]
%RABBITMQ_BASE%\log\log\crash.log
:As you can see, URIs in Offender contain unencrypted passwords despite it should not, by #2056
The text was updated successfully, but these errors were encountered: