[
https://issues.apache.org/jira/browse/FLINK-38815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18048724#comment-18048724
]
Matthias Pohl commented on FLINK-38815:
---------------------------------------
Good finding. But the issue was not introduced with FLINK-23061 but was present
even earlier. FLINK-23061 only refactored existing code.
The SSL support in the Akka configuration was introduced with FLINK-3931. The
debug log message was
[introduced|https://github.com/apache/flink/commit/92ff2b152cac3ad6a53373c0c022579306051133#diff-5348de5067b2c84eb9f3e8dac10146bdb9ea119caa6e6e3e8ce9b8c2548bdb0cR140]
with the FLINK-3544. So, quite old code.
Anyway, that should be addressed.
> The debug log will print the sensitive information of data security cookie
> certification in task manager and jobmanager
> -----------------------------------------------------------------------------------------------------------------------
>
> Key: FLINK-38815
> URL: https://issues.apache.org/jira/browse/FLINK-38815
> Project: Flink
> Issue Type: Bug
> Components: Runtime / RPC
> Affects Versions: 2.0.0, 1.20.0, 2.1.0, 2.2.0, 2.3.0
> Reporter: dengxiang
> Priority: Critical
>
> The debug log contains sensitive information of data security cookie
> certification in task manager and jobmanager. It will print the password,
> algorithms, and so on.
> 调试日志包含任务管理器和作业管理器中数据安全cookie认证的敏感信息,会把密码、算法等都打印出来。
>
> {code:java}
> private static ActorSystem startActorSystem(
> Config config, String actorSystemName, Logger logger) {
> logger.debug("Using pekko configuration\n {}", config);
> ActorSystem actorSystem =
> PekkoUtils.createActorSystem(actorSystemName, config);
> logger.info("Actor system started at {}",
> PekkoUtils.getAddress(actorSystem));
> return actorSystem;
> } {code}
>
> This section will print all the information in the config because the code
> constructed by config uses the toString method:
> 这部分会打印config里的所有信息,是因为config构造的代码使用了toString方法:
>
> {code:java}
> private static class ConfigBuilder {
> private final StringWriter stringWriter = new StringWriter();
> private final PrintWriter printWriter = new PrintWriter(stringWriter);
> public ConfigBuilder add(String configLine) {
> printWriter.println(configLine);
> return this;
> }
> public Config build() {
> return
> ConfigFactory.parseString(stringWriter.toString()).resolve();
> }
> }{code}
> The build code for config is as follows:
> config的build代码如下:
> {code:java}
> configBuilder
> .add("pekko {")
> .add(" remote.classic {")
> .add(" enabled-transports =
> [\"pekko.remote.classic.netty.ssl\"]")
> .add(" netty {")
> .add(" ssl = ${pekko.remote.classic.netty.tcp}")
> .add(" ssl {")
> .add(" enable-ssl = " + enableSSL)
> .add(" ssl-engine-provider = " + sslEngineProviderName)
> .add(" security {")
> .add(" key-store = \"" + sslKeyStore + "\"")
> .add(" key-store-password = \"" +
> sslKeyStorePassword + "\"")
> .add(" key-store-type = \"" + sslKeyStoreType + "\"")
> .add(" key-password = \"" + sslKeyPassword + "\"")
> .add(" trust-store = \"" + sslTrustStore + "\"")
> .add(" trust-store-password = \"" +
> sslTrustStorePassword + "\"")
> .add(" trust-store-type = \"" + sslTrustStoreType +
> "\"")
> .add(" protocol = " + sslProtocol + "")
> .add(" enabled-algorithms = " + sslAlgorithms + "")
> .add(" random-number-generator = \"\"")
> .add(" require-mutual-authentication = on")
> .add(" cert-fingerprints = " + sslCertFingerprints +
> "")
> .add(" }")
> .add(" }")
> .add(" }")
> .add(" }")
> .add("}"); {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
