[YSQL] Improve LDAP logging in cases of authentication failure #10943
Assignees
Labels
area/ysql
Yugabyte SQL (YSQL)
Comments
tanujnay112
added a commit
that referenced
this issue
Dec 27, 2021
Summary: YSQL outputs the raw contents of ysql_hba.conf when LDAP authentication fails. These contents potentially include the ldapbindpasswd field which presents a security issue. This diff fixes that by masking this field when ysql_hba.conf is logged. Before the logs upon LDAP authentication failure could display something like the following: ``` 2021-12-22 20:06:24.177 PST [62208] FATAL: LDAP authentication failed for user "riemann" 2021-12-22 20:06:24.177 PST [62208] DETAIL: Connection matched pg_hba.conf line 5: "host all all 0.0.0.0/0 ldap ldapserver=ldap.yugabyte.com ldapbasedn="dc=yugabyte, dc=com" ldapsearchattribute=uid ldapbindpasswd=blahblah123" ``` After these changes the corresponding logs will have the ldapbindpasswd field masked as such: ``` 2021-12-22 20:09:27.990 PST [3970] FATAL: LDAP authentication failed for user "riemann" 2021-12-22 20:09:27.990 PST [3970] DETAIL: Connection matched pg_hba.conf line 5: "host all all 0.0.0.0/0 ldap ldapserver=ldap.yugabyte.com ldapbasedn="dc=yugabyte, dc=com" ldapsearchattribute=uid ldapbindpasswd=***" ``` Test Plan: Jenkins Reviewers: mihnea, smishra Reviewed By: smishra Subscribers: smishra, yql Differential Revision: https://phabricator.dev.yugabyte.com/D14508
|
Closed by 785b8e3 |
tanujnay112
added a commit
that referenced
this issue
Dec 28, 2021
…uthentication fails Summary: YSQL outputs the raw contents of ysql_hba.conf when LDAP authentication fails. These contents potentially include the ldapbindpasswd field which presents a security issue. This diff fixes that by masking this field when ysql_hba.conf is logged. Before the logs upon LDAP authentication failure could display something like the following: ``` 2021-12-22 20:06:24.177 PST [62208] FATAL: LDAP authentication failed for user "riemann" 2021-12-22 20:06:24.177 PST [62208] DETAIL: Connection matched pg_hba.conf line 5: "host all all 0.0.0.0/0 ldap ldapserver=ldap.yugabyte.com ldapbasedn="dc=yugabyte, dc=com" ldapsearchattribute=uid ldapbindpasswd=blahblah123" ``` After these changes the corresponding logs will have the ldapbindpasswd field masked as such: ``` 2021-12-22 20:09:27.990 PST [3970] FATAL: LDAP authentication failed for user "riemann" 2021-12-22 20:09:27.990 PST [3970] DETAIL: Connection matched pg_hba.conf line 5: "host all all 0.0.0.0/0 ldap ldapserver=ldap.yugabyte.com ldapbasedn="dc=yugabyte, dc=com" ldapsearchattribute=uid ldapbindpasswd=***" ``` Original commit: 785b8e3 Original revision: D14508 Test Plan: Jenkins: rebase: 2.6 Reviewers: mihnea, smishra Reviewed By: smishra Subscribers: yql, smishra Differential Revision: https://phabricator.dev.yugabyte.com/D14522
tanujnay112
added a commit
that referenced
this issue
Dec 28, 2021
…thentication fails Summary: YSQL outputs the raw contents of ysql_hba.conf when LDAP authentication fails. These contents potentially include the ldapbindpasswd field which presents a security issue. This diff fixes that by masking this field when ysql_hba.conf is logged. Before the logs upon LDAP authentication failure could display something like the following: ``` 2021-12-22 20:06:24.177 PST [62208] FATAL: LDAP authentication failed for user "riemann" 2021-12-22 20:06:24.177 PST [62208] DETAIL: Connection matched pg_hba.conf line 5: "host all all 0.0.0.0/0 ldap ldapserver=ldap.yugabyte.com ldapbasedn="dc=yugabyte, dc=com" ldapsearchattribute=uid ldapbindpasswd=blahblah123" ``` After these changes the corresponding logs will have the ldapbindpasswd field masked as such: ``` 2021-12-22 20:09:27.990 PST [3970] FATAL: LDAP authentication failed for user "riemann" 2021-12-22 20:09:27.990 PST [3970] DETAIL: Connection matched pg_hba.conf line 5: "host all all 0.0.0.0/0 ldap ldapserver=ldap.yugabyte.com ldapbasedn="dc=yugabyte, dc=com" ldapsearchattribute=uid ldapbindpasswd=***" ``` Original commit: 785b8e3 Original revision: D14508 Test Plan: Jenkins Reviewers: mihnea, smishra Reviewed By: smishra Subscribers: yql, smishra Differential Revision: https://phabricator.dev.yugabyte.com/D14523
tanujnay112
added a commit
that referenced
this issue
Dec 28, 2021
… authentication fails Summary: YSQL outputs the raw contents of ysql_hba.conf when LDAP authentication fails. These contents potentially include the ldapbindpasswd field which presents a security issue. This diff fixes that by masking this field when ysql_hba.conf is logged. Before the logs upon LDAP authentication failure could display something like the following: ``` 2021-12-22 20:06:24.177 PST [62208] FATAL: LDAP authentication failed for user "riemann" 2021-12-22 20:06:24.177 PST [62208] DETAIL: Connection matched pg_hba.conf line 5: "host all all 0.0.0.0/0 ldap ldapserver=ldap.yugabyte.com ldapbasedn="dc=yugabyte, dc=com" ldapsearchattribute=uid ldapbindpasswd=blahblah123" ``` After these changes the corresponding logs will have the ldapbindpasswd field masked as such: ``` 2021-12-22 20:09:27.990 PST [3970] FATAL: LDAP authentication failed for user "riemann" 2021-12-22 20:09:27.990 PST [3970] DETAIL: Connection matched pg_hba.conf line 5: "host all all 0.0.0.0/0 ldap ldapserver=ldap.yugabyte.com ldapbasedn="dc=yugabyte, dc=com" ldapsearchattribute=uid ldapbindpasswd=***" ``` Original commit: 785b8e3 Original revision: D14508 Test Plan: Jenkins Reviewers: mihnea, smishra Reviewed By: smishra Subscribers: yql, smishra Differential Revision: https://phabricator.dev.yugabyte.com/D14524
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
LDAP logging right now just prints the contents of pg_hba.conf upon authentication failure. This functionality needs to be improved in the case that there is sensitive content in that file.
The text was updated successfully, but these errors were encountered: