You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Gilbert Song (JIRA)" <ji...@apache.org> on 2017/04/14 17:07:41 UTC

[jira] [Commented] (MESOS-7392) Obfuscate authentication information logged by the fetcher

    [ https://issues.apache.org/jira/browse/MESOS-7392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15969258#comment-15969258 ] 

Gilbert Song commented on MESOS-7392:
-------------------------------------

Could we paste an example stderr log here? sensitive URI can be replaced with xxx.

/cc [~vmohan]

> Obfuscate authentication information logged by the fetcher 
> -----------------------------------------------------------
>
>                 Key: MESOS-7392
>                 URL: https://issues.apache.org/jira/browse/MESOS-7392
>             Project: Mesos
>          Issue Type: Improvement
>          Components: fetcher
>    Affects Versions: 1.0.3, 1.1.1, 1.2.0
>            Reporter: Vishnu Mohan
>
> As reported by Joseph Stevens on DC/OS Community Slack: https://dcos-community.slack.com/archives/C10DCMHK4/p1492126723695465
> {code}
> So I've noticed that the Mesos Fetcher prints the URI it's using in plain text to the stderr logs. This is a serious problem since if you're using something like the mesos spark framework, it uses mesos fetcher under the hood, and the only way to fetch authenticated resources is to pass the auth as part of the URI. This means every time we start a job we're printing a username and password into the task sandbox and consequently into anything that picks up those logs from the agents. Could you guys change that so the password is obfuscated on print when a URI has credentials inside it?
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)