[
https://issues.apache.org/jira/browse/MESOS-7392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15969258#comment-15969258
]
Gilbert Song commented on MESOS-7392:
-------------------------------------
Could we paste an example stderr log here? sensitive URI can be replaced with
xxx.
/cc [~vmohan]
> Obfuscate authentication information logged by the fetcher
> -----------------------------------------------------------
>
> Key: MESOS-7392
> URL: https://issues.apache.org/jira/browse/MESOS-7392
> Project: Mesos
> Issue Type: Improvement
> Components: fetcher
> Affects Versions: 1.0.3, 1.1.1, 1.2.0
> Reporter: Vishnu Mohan
>
> As reported by Joseph Stevens on DC/OS Community Slack:
> https://dcos-community.slack.com/archives/C10DCMHK4/p1492126723695465
> {code}
> So I've noticed that the Mesos Fetcher prints the URI it's using in plain
> text to the stderr logs. This is a serious problem since if you're using
> something like the mesos spark framework, it uses mesos fetcher under the
> hood, and the only way to fetch authenticated resources is to pass the auth
> as part of the URI. This means every time we start a job we're printing a
> username and password into the task sandbox and consequently into anything
> that picks up those logs from the agents. Could you guys change that so the
> password is obfuscated on print when a URI has credentials inside it?
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
