Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

engine: hide openidc related sensitive keys #240

Merged
merged 1 commit into from
Apr 7, 2022
Merged

engine: hide openidc related sensitive keys #240

merged 1 commit into from
Apr 7, 2022

Conversation

arso
Copy link
Contributor

@arso arso commented Apr 7, 2022
edited

Ensure that the following properties are not logged in plain text:

  • KEYCLOAK_DB_PASSWORD
  • EXTERNAL_OIDC_HTTPS_PKI_TRUST_STORE_PASSWORD,
  • EXTERNAL_OIDC_CLIENT_SECRET

Bug-Url: https://bugzilla.redhat.com/2021497

@arso arso self-assigned this Apr 7, 2022
@arso arso added the infra label Apr 7, 2022
@arso arso force-pushed the oidc-sensitive-keys-logging branch from 568aca6 to 69ff372 Compare April 7, 2022 07:48
mwperina
mwperina approved these changes Apr 7, 2022
View reviewed changes
Copy link
Member

@mwperina mwperina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@arso arso added this to the ovirt-4.5.0 milestone Apr 7, 2022
@arso arso added the bug label Apr 7, 2022
@arso
Copy link
Contributor Author

arso commented Apr 7, 2022
edited

I did manual verification:

2022-04-07 10:44:17,307+02 INFO  [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService Thread Pool -- 53) [] Value of property 'KEYCLOAK_DB_PASSWORD' is '***'.
2022-04-07 10:44:17,318+02 INFO  [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService Thread Pool -- 63) [] Value of property 'EXTERNAL_OIDC_CLIENT_SECRET' is '***'.
2022-04-07 10:44:17,318+02 INFO  [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService Thread Pool -- 63) [] Value of property 'EXTERNAL_OIDC_HTTPS_PKI_TRUST_STORE_PASSWORD' is '***.

I don't think this patch deserves a computing power wasted on OST :)

@arso arso force-pushed the oidc-sensitive-keys-logging branch from 69ff372 to 687d96b Compare April 7, 2022 09:02
@arso
engine: hide openidc related sensitive keys
ec71e43 
Ensure that KEYCLOAK_DB_PASSWORD and EXTERNAL_OIDC_CLIENT_SECRET are not
logged in plain text.

Bug-Url: https://bugzilla.redhat.com/2021497
@arso arso force-pushed the oidc-sensitive-keys-logging branch from 687d96b to ec71e43 Compare April 7, 2022 09:10
@arso
Copy link
Contributor Author

arso commented Apr 7, 2022

Verified:

2022-04-07 11:29:43,470+02 INFO  [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService Thread Pool -- 62) [] Value of property 'EXTERNAL_OIDC_CLIENT_SECRET' is '***'.
2022-04-07 11:29:43,470+02 INFO  [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService Thread Pool -- 62) [] Value of property 'EXTERNAL_OIDC_HTTPS_PKI_TRUST_STORE_PASSWORD' is '***'.
2022-04-07 11:29:43,450+02 INFO  [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService Thread Pool -- 62) [] Value of property 'KEYCLOAK_DB_PASSWORD' is '***'.

@arso arso requested a review from didib April 7, 2022 09:32
@didib didib merged commit 2029795 into oVirt:master Apr 7, 2022
@didib
Copy link
Member

didib commented Apr 7, 2022

Thanks!

@arso arso deleted the oidc-sensitive-keys-logging branch April 7, 2022 11:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mwperina mwperina mwperina approved these changes

@ahadas ahadas Awaiting requested review from ahadas ahadas is a code owner

@bennyz bennyz Awaiting requested review from bennyz bennyz is a code owner

@emesika emesika Awaiting requested review from emesika emesika is a code owner

@michalskrivanek michalskrivanek Awaiting requested review from michalskrivanek michalskrivanek is a code owner

@oliel oliel Awaiting requested review from oliel

@sgratch sgratch Awaiting requested review from sgratch sgratch is a code owner

@didib didib Awaiting requested review from didib didib is a code owner

Assignees

@arso arso

Labels
bug infra
Projects
None yet
Milestone
ovirt-4.5.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@arso @didib @mwperina