Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Obfuscate credentials in shovel worker states to avoid plaintext pass… #2

Closed
wants to merge 2 commits into from
Closed

Obfuscate credentials in shovel worker states to avoid plaintext pass… #2

wants to merge 2 commits into from

Conversation

thuandb
Copy link
Owner

@thuandb thuandb commented Sep 19, 2021

…words being logged on crashes

When a shovel is configured incorrectly (either with incorrect username/password, or the targeted broker is down or unreachable), rabbit_shovel_worker crashes with its full state including URIs with plain text passwords being logged in the crash log, and sometimes also in the default log.

  • This is an example of a crash log having password logged in plaintext:
2021-08-04 02:22:23 =SUPERVISOR REPORT====
     Supervisor: {<0.740.0>,rabbit_shovel_dyn_worker_sup}
     Context:    child_terminated
     Reason:     shutdown
     Offender:   [{pid,<0.860.0>},{id,{<<"/">>,<<"notWorkingShovel">>}},{mfargs,{rabbit_shovel_worker,start_link,[dynamic,{<<"/">>,<<"notWorkingShovel">>},[{<<"ack-mode">>,<<"on-confirm">>},{<<"dest-add-forward-headers">>,false},{<<"dest-protocol">>,<<"amqp091">>},{<<"dest-uri">>,<<"amqp://">>},{<<"src-delete-after">>,<<"never">>},{<<"src-protocol">>,<<"amqp091">>},{<<"src-queue">>,<<"test-shovel-queue">>},{<<"src-uri">>,<<"amqp://user:pass@wronghost.com:5671">>}]]}},{restart_type,{permanent,5}},{shutdown,4294967295},{child_type,worker}]
  • When node is restarted, plain text password get logged in default log too:
2021-08-04 02:22:07.857 [info] <0.740.0> supervisor: {<0.740.0>,rabbit_shovel_dyn_worker_sup}, errorContext: child_terminated, reason: shutdown, offender: [{pid,<0.741.0>},{id,{<<"/">>,<<"notWorkingShovel">>}},{mfargs,{rabbit_shovel_worker,start_link,[dynamic,{<<"/">>,<<"notWorkingShovel">>},[{<<"ack-mode">>,<<"on-confirm">>},{<<"dest-add-forward-headers">>,false},{<<"dest-protocol">>,<<"amqp091">>},{<<"dest-uri">>,<<"amqp://">>},{<<"src-delete-after">>,<<"never">>},{<<"src-protocol">>,<<"amqp091">>},{<<"src-queue">>,<<"test-shovel-queue">>},{<<"src-uri">>,<<"amqp://user:pass@wronghost.com:5671">>}]]}},{restart_type,{permanent,5}},{shutdown,4294967295},{child_type,worker}]

The issue was reported in the past: rabbitmq#2709

Proposed Changes

The following change is an implementation to avoid plain text passwords being logged with the shovel workers' states upon crashing. Specifically, the change is to only store obfuscated URIs in the shovel workers' states and deobfuscate them when accessed. As a result, when shovel workers crash, the passwords will not be logged in plain text. The error logs from the shovel plugin will tell users what went wrong.

For example, when the targeted broker's DNS is not correct, the error message in default log indicates what the problem is:

2021-07-31 17:25:29.294574+00:00 [erro] <0.22741.5> Shovel 'notWorkingShovel' failed to connect (URI: amqp://wronghost.com:5671): unknown host (failed to resolve hostname)
2021-07-31 17:25:29.294677+00:00 [erro] <0.22741.5> Shovel 'notWorkingShovel' has no more URIs to try for connection
2021-07-31 17:25:29.294727+00:00 [erro] <0.22741.5> Shovel 'notWorkingShovel' could not connect to source

The crash log will not show the password in plain text:

2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>     supervisor: {<0.22740.5>,rabbit_shovel_dyn_worker_sup}
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>     errorContext: child_terminated
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>     reason: shutdown
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>     offender: [{pid,<0.22741.5>},
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>                {id,{<<"/">>,<<"notWorkingShovel">>}},
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>                {mfargs,
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>                    {rabbit_shovel_worker,start_link,
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>                        [dynamic,
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>                         {<<"/">>,<<"notWorkingShovel">>},
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>                         [{<<"dest-uri">>,
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>                           [{encrypted,
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>                                <<"HtDNAVY31TtCO2I1UByk1OWwXn5AfSl/zouMBki3NG1nnAWxF3WpfEu7lmz//btl">>}]},
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>                          {<<"src-uri">>,
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>                           [{encrypted,
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>                                <<"m1B4OoxBTldD2Xo5VuDepCsfcmALH/mM61IuATxMBvS+MPJqxfUVfCtLh+ZCikouPmdGX1CkoOgVh+UIlmFN05ByuYsM3GmvcxjMjAvIvRo=">>}]},
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>                          {<<"ack-mode">>,<<"on-confirm">>},
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>                          {<<"dest-add-forward-headers">>,false},
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>                          {<<"dest-protocol">>,<<"amqp091">>},
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>                          {<<"src-delete-after">>,<<"never">>},
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>                          {<<"src-protocol">>,<<"amqp091">>},
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>                          {<<"src-queue">>,<<"test-shovel-queue">>}]]}},
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>                {restart_type,{permanent,5}},
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>                {shutdown,4294967295},
2021-07-31 17:25:29.294843+00:00 [erro] <0.22740.5>                {child_type,worker}]

Types of Changes

What types of changes does your code introduce to this project?
Put an x in the boxes that apply

  • Bug fix (non-breaking change which fixes issue #NNNN)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause an observable behavior change in existing systems)
  • Documentation improvements (corrections, new content, etc)
  • Cosmetic change (whitespace, formatting, etc)
  • Build system and/or CI

Checklist

Put an x in the boxes that apply.
You can also fill these out after creating the PR.
If you're unsure about any of them, don't hesitate to ask on the mailing list.
We're here to help!
This is simply a reminder of what we are going to look for before merging your code.

  • I have read the CONTRIBUTING.md document
  • I have signed the CA (see https://cla.pivotal.io/sign/rabbitmq)
  • I have added tests that prove my fix is effective or that my feature works
  • All tests pass locally with my changes
  • If relevant, I have added necessary documentation to https://github.com/rabbitmq/rabbitmq-website
  • If relevant, I have added this change to the first version(s) in release-notes that I expect to introduce it

Further Comments

If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc.

@thuandb thuandb closed this Sep 21, 2021
@thuandb thuandb deleted the shovel-obfuscatepassword branch September 21, 2021 18:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@thuandb