Bug 2240778 - [ODF 4.12][MCG: DB password showing up in clear text in core and endpoint pod logs]
Summary: [ODF 4.12][MCG: DB password showing up in clear text in core and endpoint pod...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenShift Data Foundation
Classification: Red Hat Storage
Component: Multi-Cloud Object Gateway
Version: 4.12
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
: ODF 4.14.0
Assignee: Danny
QA Contact: Tiffany Nguyen
URL:
Whiteboard:
Depends On:
Blocks: 2244409
TreeView+ depends on / blocked
 
Reported: 2023-09-26 13:14 UTC by nravinas
Modified: 2024-08-29 09:52 UTC (History)
5 users (show)

Fixed In Version: 4.14.0-147
Doc Type: Bug Fix
Doc Text:
.Postgresql DB password no longer displayed in clear text in core and endpoint logs Previously, the internal Postgresql client in noobaa-core printed a connections parameters object to the log, and this object contained the password to connect to Postgresql DB. With this fix, the password information is omitted from the connection object that is printed to the log, and the messages to the logs contain only the nonsensitive connection details.
Clone Of:
Environment:
Last Closed: 2023-11-08 18:54:58 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github noobaa noobaa-core pull 7504 0 None Merged Some core fixes for external DB 2023-10-04 12:55:18 UTC
Github noobaa noobaa-core pull 7523 0 None Merged [5.14] omit postgres password from log messages in postgres_client 2023-10-16 09:03:05 UTC
Github red-hat-storage ocs-ci pull 10213 0 None Merged [GSS] Test secrets are not exposed in Noobaa 2024-08-29 09:52:39 UTC
Red Hat Product Errata RHSA-2023:6832 0 None None None 2023-11-08 18:56:32 UTC

Description nravinas 2023-09-26 13:14:29 UTC 
Description of problem (please be detailed as possible and provide log
snippests):

The pod logs for the core and endpoint MCG pods show the database password in clear text.
Comment 4 Nimrod Becker 2023-10-04 12:55:18 UTC 
Was fixed as a larger fix (Epic for 4.15) https://github.com/noobaa/noobaa-core/pull/7504
Trying to see if we can backport only the password thing
Comment 8 Tiffany Nguyen 2023-10-19 03:15:07 UTC 
Verified with build "4.14.0-154", there is no DB password showing up in clear text in both noobaa-core and noobaa-endpoint pod logs:


Snipped from noobaa-core logs:

Oct-19 3:08:29.341 [Upgrade/20]    [L0] core.util.postgres_client:: connect called, current url { max: 10, host: 'noobaa-db-pg-0.noobaa-db-pg', user: 'noobaa', database: 'nbcore', port: 5432 }
Oct-19 3:08:29.341 [Upgrade/20]    [L0] core.util.postgres_client:: _connect: called with { max: 10, host: 'noobaa-db-pg-0.noobaa-db-pg', user: 'noobaa', database: 'nbcore', port: 5432 }
Oct-19 3:08:29.764 [Upgrade/20]    [L0] core.util.postgres_client:: _connect: connected { max: 10, host: 'noobaa-db-pg-0.noobaa-db-pg', user: 'noobaa', database: 'nbcore', port: 5432 }

Snipped from noobaa-endpoint logs:

Oct-19 2:58:12.165 [Endpoint/13]    [L0] core.util.postgres_client:: connect called, current url { max: 80, host: 'noobaa-db-pg-0.noobaa-db-pg', user: 'noobaa', database: 'nbcore', port: 5432 }
Oct-19 2:58:12.166 [Endpoint/13]    [L0] core.util.postgres_client:: _connect: called with { max: 80, host: 'noobaa-db-pg-0.noobaa-db-pg', user: 'noobaa', database: 'nbcore', port: 5432 }
Oct-19 2:58:12.858 [Endpoint/13]    [L0] core.util.postgres_client:: _connect: connected { max: 80, host: 'noobaa-db-pg-0.noobaa-db-pg', user: 'noobaa', database: 'nbcore', port: 5432 }
Comment 10 errata-xmlrpc 2023-11-08 18:54:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.14.0 security, enhancement & bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6832
Note You need to log in before you can comment on or make changes to this bug.