This is an automated email from the ASF dual-hosted git repository.

heneveld pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-docs.git


The following commit(s) were added to refs/heads/master by this push:
     new 6beccad  more notes on configuring logging to filter sensitive 
information
6beccad is described below

commit 6beccada7f865b60fde98111da641e4f8febebdc
Author: Alex Heneveld <[email protected]>
AuthorDate: Tue Aug 3 10:59:36 2021 +0100

    more notes on configuring logging to filter sensitive information
---
 guide/ops/security-guidelines.md | 61 ++++++++++++++++++++++++++--------------
 1 file changed, 40 insertions(+), 21 deletions(-)

diff --git a/guide/ops/security-guidelines.md b/guide/ops/security-guidelines.md
index ef6b1bd..6940c7c 100644
--- a/guide/ops/security-guidelines.md
+++ b/guide/ops/security-guidelines.md
@@ -103,24 +103,43 @@ configuring Brooklyn to use this. See the documentation 
for
 
 ## Controlling Sensitive Information in the Logs
 
-By default, Brooklyn does not log any data considered sensitive. Blueprints 
added to the catalog or deployed are scanned 
-for information that could be considered sensitive. Any blueprint containing 
any of the following is considered to 
-possibly be containing sensitive data:
-
-- "password"
-- "passwd" 
-- "credential"
-- "secret"
-- "private"
-- "access.cert"
-- "access.key
-
-If sensitive information is found, all log entries related to the blueprint 
are written with the TRACE log level. 
-Since there is no configuration for this level, data is not saved in the 
Brooklyn standard log files. 
-
-For in-depth advanced investigations purposes, a commented sample 
configuration for enabling TRACE logging is available in 
-the `org.ops4j.pax.logging.cfg` logging configuration file. With the trace 
configuration enabled, all TRACE log entries 
-are written to the `brooklyn.trace.log` file.
-
-As a general rule, avoid or minimize writing sensitive data in clear text in 
blueprints. For bundles that contain Java 
-types, use TRACE logging for sensitive information. 
\ No newline at end of file
+Log messages which may contain sensitive information are normally logged at 
TRACE level.
+Sensitive information is identified heuristically, including config keys and 
environment variables
+which contain any of the words below (case insensitive):
+
+- `password`
+- `passwd` 
+- `credential`
+- `secret`
+- `private`
+- `access.cert`
+- `access.key`
+
+Logging should configured such that TRACE is excluded or appropriately secured
+to prevent the values of these keys and variables from being logged at too 
high a level.
+A commented sample configuration for enabling TRACE logging is available in 
+the `org.ops4j.pax.logging.cfg` logging configuration file. 
+With this configuration enabled, all TRACE log entries are written to the 
`brooklyn.trace.log` file.
+
+Blueprint source code and some activity may be logged at DEBUG level or 
higher, 
+so secrets should not be included in plain text in blueprints 
+unless the Apache Brooklyn environment and its logs are appropriately secured.
+It is recommend to use [Externalized 
Configuration](externalized-configuration.md) 
+to store credentials securely externally and read them as needed
+for blueprints and to prevent their inclusion in logs (and also in the UI). 
+
+If it is desired to suppress information that is logged at DEBUG or higher 
level,
+which should not ordinarily be needed but may be desired on occasion,
+this can be done by setting filter(s) and/or appender(s) on the appropriate 
logging category in
+`org.ops4j.pax.logging.cfg`. Some of the categories (or individual 
sub-categories of these) 
+which may be relevant for exclusion or higher security are:
+
+* `org.apache.brooklyn.core.typereg`:
+  resolution of bundles and registration of types
+* `org.apache.brooklyn.rest.resources`:
+  log REST activity, including blueprints deployed
+* `org.apache.brooklyn.camp.brooklyn.spi.creation`:
+  creation of entities from CAMP
+* `org.apache.brooklyn.camp.brooklyn.spi.dsl`:
+  resolution of DSL expressions
+

Reply via email to