Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[BACKPORT 2.6] [#10943] YSQL: Masking ldapbindpasswd in logs after a…
…uthentication fails Summary: YSQL outputs the raw contents of ysql_hba.conf when LDAP authentication fails. These contents potentially include the ldapbindpasswd field which presents a security issue. This diff fixes that by masking this field when ysql_hba.conf is logged. Before the logs upon LDAP authentication failure could display something like the following: ``` 2021-12-22 20:06:24.177 PST [62208] FATAL: LDAP authentication failed for user "riemann" 2021-12-22 20:06:24.177 PST [62208] DETAIL: Connection matched pg_hba.conf line 5: "host all all 0.0.0.0/0 ldap ldapserver=ldap.yugabyte.com ldapbasedn="dc=yugabyte, dc=com" ldapsearchattribute=uid ldapbindpasswd=blahblah123" ``` After these changes the corresponding logs will have the ldapbindpasswd field masked as such: ``` 2021-12-22 20:09:27.990 PST [3970] FATAL: LDAP authentication failed for user "riemann" 2021-12-22 20:09:27.990 PST [3970] DETAIL: Connection matched pg_hba.conf line 5: "host all all 0.0.0.0/0 ldap ldapserver=ldap.yugabyte.com ldapbasedn="dc=yugabyte, dc=com" ldapsearchattribute=uid ldapbindpasswd=***" ``` Original commit: 785b8e3 Original revision: D14508 Test Plan: Jenkins: rebase: 2.6 Reviewers: mihnea, smishra Reviewed By: smishra Subscribers: yql, smishra Differential Revision: https://phabricator.dev.yugabyte.com/D14522
- Loading branch information