1843080 – Shouldn't show token in delete and rollover pod logs

Bug 1843080 - Shouldn't show token in delete and rollover pod logs

Summary: Shouldn't show token in delete and rollover pod logs

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Logging
Sub Component:
Version:	4.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	4.5.0
Assignee:	Periklis Tsirakidis
QA Contact:	Anping Li
Docs Contact:
URL:
Whiteboard:
Depends On:	1842445
Blocks:
TreeView+	depends on / blocked

Reported:	2020-06-02 17:30 UTC by OpenShift BugZilla Robot
Modified:	2020-07-13 17:43 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-07-13 17:42:56 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
The elasticsearch-delete-xx run.sh (3.78 KB, application/x-shellscript) 2020-06-08 14:42 UTC, Anping Li	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift elasticsearch-operator pull 371	None	closed	[release-4.5] Bug 1843080: Drop xtrace to ensure token not visible in logs	2020-09-22 20:39:18 UTC
Github	openshift elasticsearch-operator pull 391	None	closed	[release-4.5] Bug 1843080: Drop curl verbosity in index management scripts	2020-09-22 20:39:18 UTC
Red Hat Product Errata	RHBA-2020:2409	None	None	None	2020-07-13 17:43:17 UTC

Description OpenShift BugZilla Robot 2020-06-02 17:30:13 UTC

+++ This bug was initially created as a clone of Bug #1842445 +++

Description of problem:
#oc logs elasticsearch-delete-infra-1591002900-rqfmf
++++ cat /var/run/secrets/kubernetes.io/serviceaccount/token
+++ curl -s 'https://elasticsearch:9200/infra-*/_alias/infra-write' --cacert /etc/indexmanagement/keys/admin-ca --cert /etc/indexmanagement/keys/admin-cert --key /etc/indexmanagement/keys/admin-key '-HAuthorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjF6RFJua0daQmVoWVphNUdQZEc2bF9HbUVqNldUZVlMYllIeEpCaWM2OEEifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJvcGVuc2hpZnQtbG9nZ2luZyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJlbGFzdGljc2VhcmNoLXRva2VuLTd6MnRkIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImVsYXN0aWNzZWFyY2giLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2ZDA1Y2RiMy0wNjJiLTRkODMtOWIxYS00N2U4OTlhYzQ2ZjciLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6b3BlbnNoaWZ0LWxvZ2dpbmc6ZWxhc3RpY3NlYXJjaCJ9.fOpV-T1s6eC3AviZUpoZrmmSuhorT8VR6PFAEthJ3V4sazC3o6BDOOYHZKk6cZcNSypyR9keY8UAqTU3DlvOsRucrTcDTlpw_PLzIbz4TV_wEulRo5DkopQICpVjF78r01hVYnkXzZaFwnLG2fYXaKTl0qgdyUVS0WAQgq_OzZWE_1UU0VRemXFDXQmgs-bVDpCu8sK59QfkiwYmtQfgGDIAc32kwBuV05Xk6YDbDeTR2Rom5ZwzI642S5lYl4p4ROH8fXT4vIiyQ7kHQL3PHLXlN6O-M1otCXpZRitUEMhcg_gRgRkh25TrvuYJuSOJSYIzBKxTrzYCGN7sTQY79g' -HContent-Type:application/json
++ writeIndices='{"infra-000001":{"aliases":{"infra-write":{"is_write_index":true}}}}'

Version-Release number of selected component (if applicable):
4.5.0

How reproducible:
always

Steps to Reproduce:
1. Deploy clusterlogging 4.5.0
2. Check elasticsearch-delete and elasticsearch-rollover pod logs

Actual results:


Expected results:


Additional info:

Comment 1 Jeff Cantrill 2020-06-03 15:59:35 UTC

Moving to medium because a security risk

Comment 4 Anping Li 2020-06-04 04:05:45 UTC

The PR is in the image. But it still failed.


{
  "io.openshift.build.commit.id": "1278b5f0e61dc3fd1fbad047eb905f0d876a0d68",
  "io.openshift.build.commit.url": "https://github.com/openshift/elasticsearch-operator/commit/1278b5f0e61dc3fd1fbad047eb905f0d876a0d68",
  "io.openshift.build.source-location": "https://github.com/openshift/elasticsearch-operator",
  "io.openshift.maintainer.component": "Logging",
  "io.openshift.maintainer.product": "OpenShift Container Platform",
  "io.openshift.tags": "openshift,logging,elasticsearch",
  "maintainer": "AOS Logging <aos-logging>",
  "name": "openshift/ose-elasticsearch-operator",
  "release": "202006031723",
  "version": "v4.5.0"
}
#
$ oc get pods
NAME                                            READY   STATUS      RESTARTS   AGE
cluster-logging-operator-565c75fd55-xzf9h       1/1     Running     0          91m
curator-1591237800-28b5v                        0/1     Error       0          94m
curator-1591243200-ggtcw                        0/1     Completed   0          4m17s
elasticsearch-cdm-gc0jxyca-1-68c4d68bb8-jld72   2/2     Running     0          98m
elasticsearch-cdm-gc0jxyca-2-7cfd55c65-c26s8    2/2     Running     0          98m
elasticsearch-cdm-gc0jxyca-3-7fc9858bd6-gs5tq   2/2     Running     0          95m
elasticsearch-delete-app-1591243200-6mxjt       0/1     Completed   0          4m17s
elasticsearch-delete-audit-1591243200-8mqv2     0/1     Completed   0          4m17s
elasticsearch-delete-infra-1591243200-dqqth     0/1     Completed   0          4m17s
elasticsearch-rollover-app-1591243200-qqqmz     0/1     Error       0          4m17s
elasticsearch-rollover-audit-1591243200-j87wc   0/1     Error       0          4m17s
elasticsearch-rollover-infra-1591243200-xlwfj   0/1     Error       0          4m17s


#oc logs elasticsearch-rollover-app-1591243200-qqqmz
* About to connect() to elasticsearch port 9200 (#0)
*   Trying 172.30.253.152...
* Connected to elasticsearch (172.30.253.152) port 9200 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/indexmanagement/keys/admin-ca
  CApath: none
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* 	subject: CN=logging-es,OU=OpenShift,O=Logging
* 	start date: Jun 04 01:25:40 2020 GMT
* 	expire date: Jun 04 01:25:40 2022 GMT
* 	common name: logging-es
* 	issuer: CN=openshift-cluster-logging-signer
> POST /app-write/_rollover?pretty HTTP/1.1
> User-Agent: curl/7.29.0
> Host: elasticsearch:9200
> Accept: */*
> Content-Type:application/json
> Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Ik5ZaVREMVdOaFo1b1FlVklIZWgxamttcDB1cExPcU9GaUdHRmV6S2VCb2cifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJvcGVuc2hpZnQtbG9nZ2luZyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJlbGFzdGljc2VhcmNoLXRva2VuLTk5OGZ3Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImVsYXN0aWNzZWFyY2giLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIxN2RlNzhlNC04ZDc2LTQ1MjYtYmUyZS1jYWNiOTY1MjNjMGQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6b3BlbnNoaWZ0LWxvZ2dpbmc6ZWxhc3RpY3NlYXJjaCJ9.X71Iz41cXWDquWwK3AX6q4vbm1uXGb0AoV9oiWPTAwbKPJdLKvZ_TRoGYh5VLD6hXDN2UMDP3zDKYhqNtF18-l4BSRuSG7qh7D1i2G2jRGkUgSmwrOq1TBvuRoVkYwIK-TzlelmDegCiTj9tCvsU49LPqGsmL62t1G4QCOkMMhxo7f_WnIuNQuyD0MnpPukOIdZ1TKngaz8aM9pQ1ArWukWdh0tHAMsjxxhWblw0GTssSFjoQzaXu1GweXr6QMK6fSDeAEsv8n112r7lK6mOc17ucMWUYwpDXEjkSrFefWUkSJWcp5TsmILaTLOtKtRdWP7BHm5JOBLoyPUU5YzqJQ
> Content-Length: 68
> 
} [data not shown]
* upload completely sent off: 68 out of 68 bytes
< HTTP/1.1 401 Unauthorized
< content-type: text/plain; charset=UTF-8
< content-length: 29
< 
{ [data not shown]
* Connection #0 to host elasticsearch left intact

Comment 5 Jeff Cantrill 2020-06-07 23:32:18 UTC

Moving back to ON_QA.  Please test again and make certain you have the image from this build https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1218736  It looks to have have the same commit hash.  Additionally, looking at the commit tree, i don't see how it could display the logs referenced in the previous comment since the `-x` flag is missing: http://pkgs.devel.redhat.com/cgit/containers/elasticsearch-operator/tree/pkg/indexmanagement/scripts.go?h=rhaos-4.5-rhel-7&id=5411ff8aa1d4fd03953af8ad7efb13e71e821d41#n4

Can you hop on the pod and look at the run script to ensure it is absent?  If it is still showing the logs with the token then we have something else going on.

Comment 6 Anping Li 2020-06-08 14:42:07 UTC

Created attachment 1696130 [details]
The elasticsearch-delete-xx run.sh

There is still token. 
"io.openshift.build.commit.id": "ae738e44c20d89f6eada143501563e5defbe36c9",
 "io.openshift.build.commit.url": "https://github.com/openshift/elasticsearch-operator/commit/ae738e44c20d89f6eada143501563e5defbe36c9",
 "name": "openshift/ose-elasticsearch-operator",
 "release": "202006080457",
 "vcs-ref": "00fa021b52b07250914d63f7bac7955f4843b7ed",
 "version": "v4.5.0"

Comment 10 Anping Li 2020-06-19 07:46:31 UTC

Verified in clusterlogging.4.5.0-202006161654

Comment 11 errata-xmlrpc 2020-07-13 17:42:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409

Note You need to log in before you can comment on or make changes to this bug.