[I] Credentials are shown at startup in plain text (druid)

Wed, 11 Oct 2023 06:30:36 -0700 


lkwg82 opened a new issue, #15130:
URL: https://github.com/apache/druid/issues/15130

   We run druid as container on kubernetes. The logs are collected and pushed 
somewhere. We notices during startup in the very first lines of log output 
settings are shown with the **credentials**:
   
   ```
   2023-10-11T11:57:55+00:00 startup service router                             
                                                                                
                                                     
   Setting druid.host=100.64.160.144 in 
/tmp/conf/druid/cluster/query/router/runtime.properties                         
                                                                                
             
   Setting druid.auth.authenticator.ldap.credentialsValidator.bindPassword=efgh 
   ...
   Setting druid.escalator.internalClientUsername=druid_system in 
/tmp/conf/druid/cluster/query/router/runtime.properties                         
                                                                   
   Setting druid.server.https.keyStorePassword=abcde
   Setting druid.auth.authenticator.db.initialInternalClientPassword=ijkl
   Setting druid.metadata.storage.connector.user=druidmetastore in 
/tmp/conf/druid/cluster/query/router/runtime.properties                         
                                                                  
   Setting druid.escalator.internalClientPassword=ykdhfhsdf
   Setting druid.auth.authenticator.ldap.credentialsValidator.bindUser=asdasd 
in /tmp/conf/druid/cluster/query/router/runtime.properties                      
                                              
   Setting druid.metadata.storage.connector.password=asdasd
   2023-10-11 11:57:57,160 main DEBUG Apache Log4j Core 2.18.0 initializing 
configuration
   ...
   ```
   
   The Druid version where the problem was encountered: 27.0.0
   based on 
[apache/druid:27.0.0](https://hub.docker.com/layers/apache/druid/27.0.0/images/sha256-ca3df175bc944033c7c56ccf9499c05e2090ae6cefbdcd90095cfce2b7931ead?context=explore)
   
   ### Description
   
   Credentials visible in logs
   
   origin:
   
https://github.com/apache/druid/blob/master/distribution/docker/druid.sh#L108C5-L108C48
 (setKey function in /druid.sh)
   
   Our solution is to derive the base image with a custom on and replace line 
in file (fragile solution)
   
   ```Docker
   FROM 
apache/druid:27.0.0@sha256:ca3df175bc944033c7c56ccf9499c05e2090ae6cefbdcd90095cfce2b7931ead
   
   USER root
   RUN sed -e 's#echo "Setting $key=$value in $service_conf"#echo "Setting $key 
in $service_conf"#' -i  /druid.sh # avoid printing passwords
   USER druid
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to