[
https://issues.apache.org/jira/browse/FLINK-38815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18063914#comment-18063914
]
VISHAL B commented on FLINK-38815:
----------------------------------
Hi [~mapohl] /[~dengxiang] ,
I would like to work on this issue if it is still open.
>From the discussion, it seems the problem is related to debug logging of the
>Pekko/Akka configuration exposing sensitive SSL fields (e.g., keystore or
>truststore passwords).
My plan is to identify where the RPC actor system configuration is logged
(likely in the runtime RPC Pekko utilities) and ensure that sensitive values
are either masked or excluded from debug logs.
Please let me know if the issue is still available to take.
Thanks.
> The debug log will print the sensitive information of data security cookie
> certification in task manager and jobmanager
> -----------------------------------------------------------------------------------------------------------------------
>
> Key: FLINK-38815
> URL: https://issues.apache.org/jira/browse/FLINK-38815
> Project: Flink
> Issue Type: Bug
> Components: Runtime / RPC
> Affects Versions: 2.0.0, 1.20.0, 2.1.0, 2.2.0, 2.3.0
> Reporter: dengxiang
> Priority: Critical
>
> The debug log contains sensitive information of data security cookie
> certification in task manager and jobmanager. It will print the password,
> algorithms, and so on.
> 调试日志包含任务管理器和作业管理器中数据安全cookie认证的敏感信息,会把密码、算法等都打印出来。
>
> {code:java}
> private static ActorSystem startActorSystem(
> Config config, String actorSystemName, Logger logger) {
> logger.debug("Using pekko configuration\n {}", config);
> ActorSystem actorSystem =
> PekkoUtils.createActorSystem(actorSystemName, config);
> logger.info("Actor system started at {}",
> PekkoUtils.getAddress(actorSystem));
> return actorSystem;
> } {code}
>
> This section will print all the information in the config because the code
> constructed by config uses the toString method:
> 这部分会打印config里的所有信息,是因为config构造的代码使用了toString方法:
>
> {code:java}
> private static class ConfigBuilder {
> private final StringWriter stringWriter = new StringWriter();
> private final PrintWriter printWriter = new PrintWriter(stringWriter);
> public ConfigBuilder add(String configLine) {
> printWriter.println(configLine);
> return this;
> }
> public Config build() {
> return
> ConfigFactory.parseString(stringWriter.toString()).resolve();
> }
> }{code}
> The build code for config is as follows:
> config的build代码如下:
> {code:java}
> configBuilder
> .add("pekko {")
> .add(" remote.classic {")
> .add(" enabled-transports =
> [\"pekko.remote.classic.netty.ssl\"]")
> .add(" netty {")
> .add(" ssl = ${pekko.remote.classic.netty.tcp}")
> .add(" ssl {")
> .add(" enable-ssl = " + enableSSL)
> .add(" ssl-engine-provider = " + sslEngineProviderName)
> .add(" security {")
> .add(" key-store = \"" + sslKeyStore + "\"")
> .add(" key-store-password = \"" +
> sslKeyStorePassword + "\"")
> .add(" key-store-type = \"" + sslKeyStoreType + "\"")
> .add(" key-password = \"" + sslKeyPassword + "\"")
> .add(" trust-store = \"" + sslTrustStore + "\"")
> .add(" trust-store-password = \"" +
> sslTrustStorePassword + "\"")
> .add(" trust-store-type = \"" + sslTrustStoreType +
> "\"")
> .add(" protocol = " + sslProtocol + "")
> .add(" enabled-algorithms = " + sslAlgorithms + "")
> .add(" random-number-generator = \"\"")
> .add(" require-mutual-authentication = on")
> .add(" cert-fingerprints = " + sslCertFingerprints +
> "")
> .add(" }")
> .add(" }")
> .add(" }")
> .add(" }")
> .add("}"); {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
