[GitHub] [flink] zentol commented on a change in pull request #11195: [FLINK-16222][runtime] Use plugins mechanism for initializing MetricReporters

Tue, 17 Mar 2020 11:59:49 -0700 

zentol commented on a change in pull request #11195: [FLINK-16222][runtime] Use 
plugins mechanism for initializing MetricReporters
URL: https://github.com/apache/flink/pull/11195#discussion_r393903505
 
 

 ##########
 File path: 
flink-runtime/src/main/java/org/apache/flink/runtime/metrics/ReporterSetup.java
 ##########
 @@ -120,55 +124,37 @@ public static ReporterSetup forReporter(String 
reporterName, MetricConfig metric
        }
 
        private static ReporterSetup createReporterSetup(String reporterName, 
MetricConfig metricConfig, MetricReporter reporter) {
-               LOG.info("Configuring {} with {}.", reporterName, metricConfig);
+               LOG.debug("Configuring {} with {}.", reporterName, 
metricConfig);
 
 Review comment:
   > do we have a Flink-wide way to handle such cases
   
   The `GlobalConfiguration` contains a set of keys that are considered 
sensitive, which we use for the WebUI and various INFO logging.
   
   > We have been "leaking" this data in the current versions with info (!) 
level without much concern
   
   Few reporters actually use credentials (afaik only datadog does), so the 
sample size is fairly low.
   
   > If someone has uncontrolled access to the log files on your machine in 
production, content of this file is probably not the biggest of your problems.
   
   Doesn't need access to the machine; access to the UI is sufficient, which 
was grave enough that we introduced the whole secret-key concept in the first 
place.
   
   > Running with debug level is not a "normal" scenario - this is intended for 
hands on investigation of issues. Log level for potentially compromisable 
external systems could be explicitly set to trace in such cases.
   
   There's precedence with FLINK-10363 that credentials should not be logged 
even on debug.
   FLINK-16478 also which proposes a REST API for modifying the log level 
potentially voiding any argument for it being opt-in insecurity.
   
   I would approach this cautiously and never log anything sensitive.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to