Not logging jenv data
John Meinel
john at arbash-meinel.com
Thu May 29 09:36:57 UTC 2014
We also need to sanitize the actual debug log messages (not just the first
one during bootstrap), because all agents end up reporting their passwords
via the API, as well as users, etc.
So it isn't *just* sanitizing this one message. Though I also agree that
I've definitely been aided by looking at the jenv contents in pastes, so
I'd like to keep the sanitized form available.
John
=:->
On Thu, May 29, 2014 at 5:23 AM, Ian Booth <ian.booth at canonical.com> wrote:
> +1 on not killing the jenv logging - we just need to sanitise out the
> secrets.
>
> On 29/05/14 11:18, Andrew Wilkins wrote:
> > On Thu, May 29, 2014 at 4:25 AM, Nate Finch <nate.finch at canonical.com
> >wrote:
> >
> >> Today I learned CI isn't running with --debug because they don't want to
> >> expose sensitive data in their jenv... which gets logged when you run
> with
> >> --debug. However, it also means that we don't get all our really useful
> >> debug log messages when something breaks in CI.
> >>
> >> I made a fix for this (deleting the line that logs the jenv). Please
> let
> >> me know if there's any reason we shouldn't do this. Logging people's
> >> passwords/secrets is generally a big security no-no anyway, so I hope it
> >> won't be controversial.
> >>
> >
> > I'm +1 on not logging secrets, but I think not logging the .jenv at all
> > will come back to bite us when we're debugging. It'd be better just to
> > sanitise the output by using the EnvironProvider.SecretAttrs method.
> >
> > Also, we log the bootstrap script, and that contains the full bootstrap
> > config. That needs to be sanitised (or suppressed) as well.
> >
> >
> >> https://codereview.appspot.com/98580048
> >>
> >> -Nate
> >>
> >> --
> >> Juju-dev mailing list
> >> Juju-dev at lists.ubuntu.com
> >> Modify settings or unsubscribe at:
> >> https://lists.ubuntu.com/mailman/listinfo/juju-dev
> >>
> >>
> >
> >
> >
>
> --
> Juju-dev mailing list
> Juju-dev at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju-dev/attachments/20140529/4c14d460/attachment.html>
More information about the Juju-dev
mailing list