You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@openwhisk.apache.org by GitBox <gi...@apache.org> on 2018/03/28 10:26:14 UTC

[GitHub] brunogirin opened a new issue #824: Obfuscate secrets when logging information in verbose mode

brunogirin opened a new issue #824: Obfuscate secrets when logging information in verbose mode
URL: https://github.com/apache/incubator-openwhisk-wskdeploy/issues/824
 
 
   When using wskdeploy in verbose mode (with the `-v` flag), it logs a lot of information, which is essential for debugging but also includes secret information.
   
   This causes a security risk: developers may set the `-v` flag while debugging a CI script, which means secret information has now leaked into the log. They could remove the `-v` flag and change credentials once their script works but at some point, someone will forget. Conversely, developers debugging a script need to know that all important variables are set properly so something needs to be logged.
   
   An approach I've seen somewhere else (I think it was Ansible but don't quote me on that) is to obfuscate secrets by only keeping the first and last characters, e.g. an auth key could be logged `626930...tEhDm5`: enough to know it's set correctly but not enough to leak the actual value.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services